From be45b07ef7f1cce7a4c5390ccc09f3add3b199ed Mon Sep 17 00:00:00 2001 From: research-bot Date: Thu, 15 Feb 2024 21:11:10 +0000 Subject: [PATCH 1/5] Auto-update dist/* files for ESCU,BA,API via release job for tag v4.24.0 [skip ci] --- dist/DA-ESS-ContentUpdate/app.manifest | 2 +- .../default/analyticstories.conf | 3214 +++---- dist/DA-ESS-ContentUpdate/default/app.conf | 6 +- .../default/collections.conf | 2 +- .../default/content-version.conf | 4 +- .../default/es_investigations.conf | 2 +- dist/DA-ESS-ContentUpdate/default/macros.conf | 90 +- .../default/savedsearches.conf | 7576 +++++++++-------- .../default/transforms.conf | 2 +- .../default/workflow_actions.conf | 2 +- dist/api/detections.json | 2 +- dist/api/macros.json | 2 +- dist/api/stories.json | 2 +- dist/api/version.json | 2 +- ...ssa___anomalous_usage_of_archive_tools.yml | 4 +- .../srs/ssa___attempt_to_delete_services.yml | 4 +- .../srs/ssa___attempt_to_disable_services.yml | 4 +- ...dential_dump_from_registry_via_reg_exe.yml | 4 +- ..._bcdedit_failure_recovery_modification.yml | 4 +- ...ar_unallocated_sector_using_cipher_app.yml | 4 +- ...ate_local_admin_accounts_using_net_exe.yml | 4 +- ...eate_local_user_accounts_using_net_exe.yml | 4 +- dist/ssa/srs/ssa___delete_a_net_user.yml | 4 +- dist/ssa/srs/ssa___deleting_shadow_copies.yml | 4 +- ...___deny_permission_using_cacls_utility.yml | 4 +- ...wershell_applications_spawning_cmd_exe.yml | 4 +- ...t_prohibited_browsers_spawning_cmd_exe.yml | 4 +- ...d_office_applications_spawning_cmd_exe.yml | 4 +- ...ssa___detect_rclone_command_line_usage.yml | 4 +- .../srs/ssa___disable_net_user_account.yml | 4 +- ...___dns_exfiltration_using_nslookup_app.yml | 4 +- dist/ssa/srs/ssa___fsutil_zeroing_file.yml | 4 +- ...__grant_permission_using_cacls_utility.yml | 4 +- ..._files_and_directories_with_attrib_exe.yml | 4 +- ...fy_acls_permission_of_files_or_folders.yml | 4 +- ...e_product_spawning_windows_script_host.yml | 4 +- .../srs/ssa___resize_shadowstorage_volume.yml | 4 +- .../ssa___sdelete_application_execution.yml | 4 +- ...ervices_lolbas_execution_process_spawn.yml | 4 +- ...ocess_running_from_unexpected_location.yml | 4 +- .../ssa___wbadmin_delete_system_backups.yml | 4 +- .../ssa___wevtutil_usage_to_clear_logs.yml | 4 +- .../ssa___wevtutil_usage_to_disable_logs.yml | 4 +- .../ssa___windows_bits_job_persistence.yml | 4 +- .../ssa___windows_bitsadmin_download_file.yml | 8 +- .../ssa___windows_certutil_decode_file.yml | 4 +- ...a___windows_certutil_urlcache_download.yml | 8 +- ...___windows_certutil_verifyctl_download.yml | 8 +- ..._hijacking_inprocserver32_modification.yml | 4 +- ...dows_curl_upload_to_remote_destination.yml | 8 +- ...group_policy_object_modified_with_gpme.yml | 4 +- ...ws_defender_tools_in_non_standard_path.yml | 4 +- ...a___windows_diskshadow_proxy_execution.yml | 4 +- ...ows_dotnet_binary_in_non_standard_path.yml | 4 +- ...ndows_exchange_powershell_module_usage.yml | 4 +- ...s_execute_arbitrary_commands_with_msdt.yml | 4 +- ...ws_file_share_discovery_with_powerview.yml | 4 +- .../ssa___windows_findstr_gpp_discovery.yml | 4 +- ...s_ingress_tool_transfer_using_explorer.yml | 8 +- ...ows_lolbin_binary_in_non_standard_path.yml | 4 +- .../srs/ssa___windows_mshta_child_process.yml | 4 +- .../ssa___windows_mshta_command_line_url.yml | 4 +- ...a___windows_mshta_inline_hta_execution.yml | 4 +- ...___windows_odbcconf_load_response_file.yml | 4 +- ...tial_dumping_with_ntdsutil_export_ntds.yml | 4 +- ...ws_os_credential_dumping_with_procdump.yml | 4 +- ...connect_to_internet_with_hidden_window.yml | 4 +- ...re_authentication_discovery_get_aduser.yml | 4 +- ...uthentication_discovery_with_powerview.yml | 4 +- .../ssa___windows_powershell_downloadfile.yml | 4 +- ..._windows_powershell_start_bitstransfer.yml | 8 +- ...sa___windows_powersploit_gpp_discovery.yml | 4 +- .../ssa___windows_rasautou_dll_execution.yml | 4 +- ...onsole_exe_lolbas_in_non_standard_path.yml | 4 +- ...adplus_exe_lolbas_in_non_standard_path.yml | 4 +- ...dvpack_dll_lolbas_in_non_standard_path.yml | 4 +- ...ecutor_exe_lolbas_in_non_standard_path.yml | 4 +- ...taller_exe_lolbas_in_non_standard_path.yml | 4 +- ...appvlp_exe_lolbas_in_non_standard_path.yml | 4 +- ...mpiler_exe_lolbas_in_non_standard_path.yml | 4 +- ...ies_at_exe_lolbas_in_non_standard_path.yml | 4 +- ...broker_exe_lolbas_in_non_standard_path.yml | 4 +- ...__windows_rundll32_comsvcs_memory_dump.yml | 4 +- ..._windows_rundll32_inline_hta_execution.yml | 4 +- ...sa___windows_script_host_spawn_msbuild.yml | 4 +- ...execution_compiled_html_file_decompile.yml | 4 +- ...compiled_html_file_url_in_command_line.yml | 4 +- ...l_file_using_infotech_storage_handlers.yml | 4 +- ...xy_execution_msiexec_dllregisterserver.yml | 4 +- ...roxy_execution_msiexec_remote_download.yml | 4 +- ...proxy_execution_msiexec_unregister_dll.yml | 4 +- .../ssa___windows_wmiprvse_spawn_msbuild.yml | 4 +- 92 files changed, 6238 insertions(+), 5006 deletions(-) diff --git a/dist/DA-ESS-ContentUpdate/app.manifest b/dist/DA-ESS-ContentUpdate/app.manifest index ac66c30f0d..96ec6dded7 100644 --- a/dist/DA-ESS-ContentUpdate/app.manifest +++ b/dist/DA-ESS-ContentUpdate/app.manifest @@ -5,7 +5,7 @@ "id": { "group": null, "name": "DA-ESS-ContentUpdate", - "version": "4.23.0" + "version": "4.24.0" }, "author": [ { diff --git a/dist/DA-ESS-ContentUpdate/default/analyticstories.conf b/dist/DA-ESS-ContentUpdate/default/analyticstories.conf index 38c470747c..ca4095fd9d 100644 --- a/dist/DA-ESS-ContentUpdate/default/analyticstories.conf +++ b/dist/DA-ESS-ContentUpdate/default/analyticstories.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2024-02-07T01:48:59 UTC +# On Date: 2024-02-15T21:06:12 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# @@ -23,7 +23,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic uses a pretrained machine learning text classifier to detect potentially risky commands. The model is trained independently and then the model file is packaged within ESCU for usage. A command is deemed risky based on the presence of certain trigger keywords, along with the context and the role of the user (please see references). The model uses custom features to predict whether a SPL is risky using text classification. The model takes as input the command text, user and search type and outputs a risk score between [0,1]. A high score indicates higher likelihood of a command being risky. This model is on-prem only. how_to_implement = This detection depends on the MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and the Splunk Audit datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. Additionally, you need to be ingesting logs which include Search_Activity.search, Search_Activity.user, Search_Activity.search_type from your endpoints. The risk score threshold should be adjusted based on the environment. The detection uses a custom MLTK model hence we need a few more steps for deployment, as outlined here - https://gist.github.com/ksharad-splunk/be2a62227966049047f5e5c4f2adcabb. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} known_false_positives = False positives may be present if suspicious behavior is observed, as determined by frequent usage of risky keywords. providing_technologies = null @@ -45,7 +45,7 @@ asset_type = Endpoint confidence = medium explanation = The search looks at the change-analysis data model and detects email files created outside the normal Outlook directory. how_to_implement = To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1114", "T1114.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.001"], "nist": ["DE.CM"]} known_false_positives = Administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. These attempts will be detected by the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -55,7 +55,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for an increase of data transfers from your email server to your clients. This could be indicative of a malicious actor collecting data using your email server. how_to_implement = This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as "email_server" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The "deviation_threshold" field is a multiplying factor to control how much variation you're willing to tolerate. The "minimum_data_samples" field is the minimum number of connections of data samples required for the statistic to be valid. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.AE"]} known_false_positives = The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers. providing_technologies = null @@ -75,7 +75,7 @@ asset_type = Infrastructure confidence = medium explanation = This hunting analytic identifies multiple failed logon attempts from a single IP. Use this analytic to identify patterns of suspicious logins from a single source and filter as needed or use this to drive tuning for higher fidelity analytics. how_to_implement = This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} known_false_positives = A single public IP address servicing multiple legitmate users may trigger this search. In addition, the threshold of 5 distinct users may be too low for your needs. You may modify the included filter macro `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` to raise the threshold or except specific IP adresses from triggering this search. providing_technologies = null @@ -95,7 +95,7 @@ asset_type = Infrastructure confidence = medium explanation = The following analytic utilizes the user.acount.lock event to identify associates who are locked out of Okta. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold. how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} known_false_positives = False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete. providing_technologies = null @@ -105,7 +105,7 @@ asset_type = Infrastructure confidence = medium explanation = The following anomaly will generate based on account lockout events utilizing Okta eventTypes of user.account.lock.limit or user.account.lock. Per the Okta docs site, this event is fired when a user account has reached the lockout limit. The account will not auto-unlock and a user or client cannot gain access to the account. This event indicates an account that will not be able to log in until remedial action is taken by the account admin. This event can be used to understand the specifics of an account lockout. Often this indicates a client application that is repeatedly attempting to authenticate with invalid credentials such as an old password. how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} known_false_positives = None. Account lockouts should be followed up on to determine if the actual user was the one who caused the lockout, or if it was an unauthorized actor. providing_technologies = null @@ -115,7 +115,7 @@ asset_type = Infrastructure confidence = medium explanation = The following anomaly identifies failed Okta SSO events utilizing the legacy Okta event "unauth app access attempt". how_to_implement = This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} known_false_positives = There may be a faulty config preventing legitmate users from accessing apps they should have access to. providing_technologies = null @@ -125,7 +125,7 @@ asset_type = Infrastructure confidence = medium explanation = The following analytic identifies patterns within Okta data to determine the amount of successful and failed pushes. Based on that, eval statements determine a finding of whether this is suspicious or not. The events are within a window of time and may be tuned as needed. how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} known_false_positives = False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete. providing_technologies = null @@ -144,7 +144,7 @@ In sequence, the logic for the analytic - \ * Counts the total number of push events, successful authentication events, and any push sources where the client is a new device. \ * Creates a ratio of successful sign-ins to pushes. \ * If the ratio (currently tuned aggressively) indicates push spam, or if a user has rejected a push, the detection proceeds to evaluate whether there is more than one IP address used during the session (session roaming) and the presence of both a new IP and new device during the session. how_to_implement = This analytic is specific to Okta and requires Okta:im2 logs to be ingested. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} known_false_positives = False positives may be present based on organization size and configuration of Okta. Monitor, tune and filter as needed. providing_technologies = null @@ -158,7 +158,7 @@ explanation = The following analytic identifies multiple failed app requests in * Creates a ratio of successful SSO events to total MFA challenges related to Application Sign On Policies \ * Alerts when more than half of app sign on events are unsuccessful, and challenges were unsatisfied for more than three apps. how_to_implement = This analytic is specific to Okta and requires Okta:im2 logs to be ingested. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1550.004", "T1538"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550.004", "T1538"], "nist": ["DE.AE"]} known_false_positives = False positives may be present based on organization size and configuration of Okta. providing_technologies = null @@ -168,7 +168,7 @@ asset_type = Infrastructure confidence = medium explanation = The following analytic identifies when a new API token is created. Adversaries who have gained access to a privileged account may add a new token for persistence. This analytic uses the eventType system.api_token.create. how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.CM"]} known_false_positives = False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. providing_technologies = null @@ -178,7 +178,7 @@ asset_type = Infrastructure confidence = medium explanation = The following anomaly will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta. how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} known_false_positives = Tune the risk score as needed based on your organization. providing_technologies = null @@ -188,7 +188,7 @@ asset_type = Infrastructure confidence = medium explanation = The following analytic identifies when Okta''s FastPass prevents known phishing sites. When your users are enrolled in FastPass, Okta can provide defenders a high-fidelity signal for when user applications are being targeted by attackers wielding real-time (AiTM) proxies. Okta''s Defensive Cyber Operations team routinely identifies phishing infrastructure configured to imitate an Okta sign-in page and proactively notify Okta customers when suspicious infrastructure we detect appears to be targeting their users. Since March 2020, we have delivered over 1000 notifications to customers. how_to_implement = This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.001", "T1556"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1556"], "nist": ["DE.CM"]} known_false_positives = Fidelity of this is high as Okta is specifying malicious infrastructure. Filter and modify as needed. providing_technologies = null @@ -198,7 +198,7 @@ asset_type = Infrastructure confidence = medium explanation = The following correlation will take risk associated with the content from "Suspicious Okta Activity" and "Okta MFA Exhaustion" analytic stories and tally it up. Once it hits the threshold of 100 (can be changed), it will trigger an a notable. As needed, reduce or raise the risk scores assocaited with the anomaly and TTP analytics tagged to these two analytic stories. how_to_implement = Ensure "Suspicious Okta Activity" and "Okta MFA Exhaustion" analytic stories are enabled. TTP may be set to Notables for point detections, anomaly should not be notables but risk generators. The correlation relies on risk before generating a notable. Modify the value as needed. Default threshold is 100. This value may need to be increased based on activity in your environment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1110"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1110"], "nist": ["DE.AE"]} known_false_positives = False positives will be limited to the amount of events generated by the analytics tied to the stories. Analytics will need to be tesetd and tuned, risk score reduced, as needed based on organization. providing_technologies = null @@ -208,7 +208,7 @@ asset_type = Infrastructure confidence = medium explanation = The following event is generated when an associate receives an email from Okta asking if a login attempt was suspicious or not. If the associate identifies it as suspicious an event is generated and should be reviewed. how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. It also requires that suspicious activity reporting is enabled and associates are trained to submit. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited as this is a high fidelity marker. providing_technologies = null @@ -221,7 +221,7 @@ explanation = The following analytic looks for one or more policy evaluation eve * Aggregates/Groups by Device Token and User, providing the first policy evaluation event in the search window. \ * Evaluates whether there is more than one IP and whether there is more than one OS or browser for each combination of User/Device Token. how_to_implement = This analytic is specific to Okta and requires Okta:im2 logs to be ingested. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1539"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1539"], "nist": ["DE.AE"]} known_false_positives = False positives may be present based on organization size and configuration of Okta. providing_technologies = null @@ -231,7 +231,7 @@ asset_type = Infrastructure confidence = medium explanation = The following analytic utilizes Okta's ThreatInsight to identify "Login failures with high unknown users count" and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted. how_to_implement = This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.001", "T1110.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1110.004"], "nist": ["DE.CM"]} known_false_positives = Fidelity of this is high as it is Okta ThreatInsight. Filter and modify as needed. providing_technologies = null @@ -241,7 +241,7 @@ asset_type = Infrastructure confidence = medium explanation = The following analytic utilizes Okta's ThreatInsight to identify "PasswordSpray" and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted. how_to_implement = This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.001", "T1110.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1110.003"], "nist": ["DE.CM"]} known_false_positives = Fidelity of this is high as it is Okta ThreatInsight. Filter and modify as needed. providing_technologies = null @@ -251,7 +251,7 @@ asset_type = Infrastructure confidence = medium explanation = The following anomaly relies on the Okta ThreatInsight identification of a threat. Use this to drive risk up by src_ip or add additional fields to track. Identification may include password spraying, login failures and Login failures with high unknown users count. how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} known_false_positives = False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. providing_technologies = null @@ -261,7 +261,7 @@ asset_type = Infrastructure confidence = medium explanation = The following analytic identifies an account that has rejected more than 2 Push notifications in a 10 minute window. Modify this query for your environment by upping the count or time window. how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.CM"]} known_false_positives = False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete. providing_technologies = null @@ -271,7 +271,7 @@ asset_type = Infrastructure confidence = medium explanation = This search detects logins from the same user from different cities in a 24 hour period. how_to_implement = This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} known_false_positives = Users in your enviornment may legitmately be travelling and loggin in from different locations. This search is useful for those users that should *not* be travelling for some reason, such as the COVID-19 pandemic. The search also relies on the geographical information being populated in the Okta logs. It is also possible that a connection from another region may be attributed to a login from a remote VPN endpoint. providing_technologies = null @@ -281,7 +281,7 @@ asset_type = Endpoint confidence = medium explanation = On May 3rd, 2022, Splunk published a security advisory for a Path traversal in search parameter that can potentiall allow SPL injection. An attacker can cause the application to load data from incorrect endpoints, urls leading to outcomes such as running arbitrary SPL queries. how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This search will provide search UI requests with path traversal parameter ("../../../../../../../../../") which shows exploitation attempts. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1083"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.CM"]} known_false_positives = This search may find additional path traversal exploitation attempts. providing_technologies = null @@ -291,7 +291,7 @@ asset_type = Identity confidence = medium explanation = The following analytic identifies variations in the authentication event IP address versus the verification response event IP address to identify suspicious sign-in behavior. Currently this detection is configured to identify when the originating country of an authentication request is different than the verification country. how_to_implement = Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} known_false_positives = False positives may be generated by users working out the geographic region where the organizations services or technology is hosted. providing_technologies = null @@ -301,7 +301,7 @@ asset_type = Identity confidence = medium explanation = The following analytic identifies multiple failed multi-factor authentication requests for a single user within a PingID (PingOne) environment. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 10 minutes. PingID environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. how_to_implement = Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1621", "T1078", "T1110"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1621", "T1078", "T1110"], "nist": ["DE.CM"]} known_false_positives = False positives may be generated by normal provisioning workflows for user device registration. providing_technologies = null @@ -311,7 +311,7 @@ asset_type = Identity confidence = medium explanation = A common social engineering technique used by threat actors is the impersonation of a valid user to organizational support staff for a password reset. During the same support call or quickly afterwards the threat actor will request provisioning of a new MFA device. This does not require malware or phishing infrastructure and has proven to be successful in numerous historical attacks. This detection looks for the pattern of password reset, followed by MFA device provisioning. how_to_implement = Target environment must ingest Windows Event Log and PingID(PingOne) data sources. Specifically from logs from Active Directory Domain Controllers and JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} known_false_positives = False positives may be generated by normal provisioning workflows that generate a password reset followed by a device registration. providing_technologies = ["Microsoft Windows"] @@ -321,7 +321,7 @@ asset_type = Identity confidence = medium explanation = The following analytic identifies the registration of a new Multi Factor authentication method for a PingID (PingOne) account. Adversaries who have obtained unauthorized access to a user account may register a new MFA method to maintain persistence. how_to_implement = Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} known_false_positives = False positives may be generated by normal provisioning workflows for user device registration. providing_technologies = null @@ -331,7 +331,7 @@ asset_type = endpoint confidence = medium explanation = In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk. how_to_implement = Must have access to internal indexes. Only applies to Splunk on Windows versions. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1083"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.AE"]} known_false_positives = The command runshellscript can be used for benign purposes. Analyst will have to review the searches and determined maliciousness specially by looking at targeted script. providing_technologies = null @@ -341,7 +341,7 @@ asset_type = Endpoint confidence = medium explanation = Splunk drilldown vulnerability disclosure in Dashboard application that can potentially allow exposure of tokens from privilege users. An attacker can create dashboard and share it to privileged user (admin) and detokenize variables using external urls within dashboards drilldown function. how_to_implement = This search uses REST function to query for dashboards with environment variables present in URL options. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.CM"]} known_false_positives = This search may reveal non malicious URLs with environment variables used in organizations. providing_technologies = null @@ -351,7 +351,7 @@ asset_type = endpoint confidence = medium explanation = This search provides information to investigate possible remote code execution exploitation via user-supplied Extensible Stylesheet Language Transformations (XSLT), affecting Splunk versions 9.1.x. how_to_implement = Because there is no way to detect the payload, this search only provides the ability to monitor the creation of lookups which are the base of this exploit. An operator must then investigate suspicious lookups. This search requires ability to perform REST queries. Note that if the Splunk App for Lookup File Editing is not, or was not, installed in the Splunk environment then it is not necessary to run the search as the enviornment was not vulnerable. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} known_false_positives = This search will provide information for investigation and hunting of lookup creation via user-supplied XSLT which may be indications of possible exploitation. There will be false positives as it is not possible to detect the payload executed via this exploit. providing_technologies = null @@ -361,7 +361,7 @@ asset_type = Endpoint confidence = medium explanation = This hunting search provides information about a vulnerability in Splunk Enterprise versions below 8.2.9, 8.1.12, 9.0.2, where an authenticated user can execute arbitrary code via the dashboard pdf generation component. Please review events with file=export in the _internal index for the potential targets of exploitation. how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} known_false_positives = Not all exports and downloads are malicious, special attention must be put as well on /en-US/splunkd/__raw/services/pdfgen/render in the context of this search. providing_technologies = null @@ -371,7 +371,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic identifies the use of the risky command - Delete - that may be utilized in Splunk to delete some or all data queried for. In order to use Delete in Splunk, one must be assigned the role. This is typically not used and should generate an anomaly if it is used. how_to_implement = To successfully implement this search acceleration is recommended against the Search_Activity datamodel that runs against the splunk _audit index. In addition, this analytic requires the Common Information Model App which includes the Splunk Audit Datamodel https://splunkbase.splunk.com/app/1621/. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} known_false_positives = False positives may be present if this command is used as a common practice. Filter as needed. providing_technologies = null @@ -381,7 +381,7 @@ asset_type = Web Server confidence = medium explanation = The Splunk platform contains built-in search processing language (SPL) safeguards to warn you when you are about to unknowingly run a search that contains commands that might be a security risk. This warning appears when you click a link or type a URL that loads a search that contains risky commands. The warning does not appear when you create ad hoc searches. This warning alerts you to the possibility of unauthorized actions by a malicious user. Unauthorized actions include - Copying or transferring data (data exfiltration), Deleting data and Overwriting data. All risky commands may be found here https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga. A possible scenario when this might occur is when a malicious actor creates a search that includes commands that exfiltrate or damage data. The malicious actor then sends an unsuspecting user a link to the search. The URL contains a query string (q) and a search identifier (sid), but the sid is not valid. The malicious actor hopes the user will use the link and the search will run. During analysis, pivot based on user name and filter any user or queries not needed. Queries ran from a dashboard are seen as adhoc queries. When a query runs from a dashboard it will not show in audittrail logs the source dashboard name. The query defaults to adhoc and no Splunk system user activity. In addition, modify this query by removing key commands that generate too much noise, or too little, and create separate queries with higher confidence to alert on. how_to_implement = To successfully implement this search acceleration is recommended against the Search_Activity datamodel that runs against the splunk _audit index. In addition, this analytic requires the Common Information Model App which includes the Splunk Audit Datamodel https://splunkbase.splunk.com/app/1621/. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} known_false_positives = False positives will be present until properly filtered by Username and search name. providing_technologies = null @@ -391,7 +391,7 @@ asset_type = Web Server confidence = medium explanation = This detection utilizes machine learning model named "risky_command_abuse" trained from "Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline". It should be scheduled to run hourly to detect whether a user has run searches containing risky SPL from this list https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga with abnormally long running time in the past one hour, comparing with his/her past seven days history. This search uses the trained baseline to infer whether a search is an outlier (isOutlier ~= 1.0) or not (isOutlier~= 0.0) how_to_implement = This detection depends on MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and the Splunk Audit datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. Baseline model needs to be built using "Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline" before this search can run. Please note that the current search only finds matches exactly one space between separator bar and risky commands. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} known_false_positives = If the run time of a search exceeds the boundaries of outlier defined by the fitted density function model, false positives can occur, incorrectly labeling a long running search as potentially risky. providing_technologies = null @@ -401,7 +401,7 @@ asset_type = Endpoint confidence = medium explanation = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a cross-site request forgery in the Splunk Secure Gateway (SSG) app in the kvstore_client endpoint allows for updating SSG KV store collections via a GET request. SSG is a Splunk Built app included by default with Splunk Enterprise. The vulnerability affects instances with SSG and Splunk Web enabled. This hunting search provides information on affected server specific method and post data that may reveal exploitation of this vulnerability. how_to_implement = Requires access to internal index. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} known_false_positives = This hunting search only applies to the affected versions and setup mentioned in the description of this search, it does not extract payload so it requires manual investigation after executing search. This search will produce false positives. providing_technologies = null @@ -411,7 +411,7 @@ asset_type = Endpoint confidence = medium explanation = This hunting search allows operator to discover attempts to exfiltrate data by executing a prepositioned malicious search ID in Analytic Workspace in Splunk Enterprise versions 8.2.9,8.1.12,9.0.2. The attack is browser-based. It requires the attacker to compel a victim to initiate a request within their browser (phishing). The attacker cannot exploit the vulnerability at will. how_to_implement = The vulnerability affects only instances with Splunk Web Enabled. After running this search, please run "Splunk Command and Scripting Interpreter Risky SPL MLTK" to gain more insight into potentially risky commands which could lead to data exfiltration. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1567"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1567"], "nist": ["DE.AE"]} known_false_positives = This search may produce false positives. This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. Special attention must be paid to "/en-US/app/search/analytics_workspace?sid=[sid]" which is where the malicious code will be inserted to trigger attack at victim. providing_technologies = null @@ -421,7 +421,7 @@ asset_type = Endpoint confidence = medium explanation = This search will check the TLS validation is properly configured on the search head it is run from as well as its search peers after Splunk version 9. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked. how_to_implement = The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (the `dispatch_rest_to_indexers` capability) in some architectures. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1587.003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1587.003"], "nist": ["DE.AE"]} known_false_positives = No known at this time. providing_technologies = null @@ -431,7 +431,7 @@ asset_type = endpoint confidence = medium explanation = On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. In other circumstances, a client may be allowed to publish a forwarder bundle to other clients, which may allow for arbitrary code execution. The fixes for these require upgrading to at least Splunk 9.0 on the forwarder as well. This is a great opportunity to configure TLS across the environment. This search looks for forwarders that are not using TLS and adds risk to those entities. how_to_implement = This anomaly search looks for forwarder connections that are not currently using TLS. It then presents the source IP, the type of forwarder, and the version of the forwarder. You can also remove the "ssl=false" argument from the initial stanza in order to get a full list of all your forwarders that are sending data, and the version of Splunk software they are running, for audit purposes. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1587.003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1587.003"], "nist": ["DE.AE"]} known_false_positives = None at this time providing_technologies = null @@ -441,7 +441,7 @@ asset_type = endpoint confidence = medium explanation = In Splunk Enterprise versions lower than 9.0.6, and 8.2.12, an attacker can send a malformed security assertion markup language SAML request to the /saml/acs REST endpoint which can cause a denial of service through a crash or hang of the Splunk daemon.The SAML extensible markup language (XML) parser does not fail SAML signature validation when the attacker modifies the URI in the SAML request. Instead it attempts to access the modified URI, which causes the Splunk daemon to crash or hang. how_to_implement = To run this search, you must have access to the _internal index. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1498"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1498"], "nist": ["DE.AE"]} known_false_positives = This search will show false positives. The analyst must look for errors and a pointer indicating a malicious file. providing_technologies = null @@ -451,7 +451,7 @@ asset_type = endpoint confidence = medium explanation = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an attacker can exploit a vulnerability in the dump SPL command to cause a Denial of Service by crashing the Splunk daemon. how_to_implement = This search does not require additional ingestion of data. Requires the ability to search _internal index and monitor segmentation faults. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1499.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499.004"], "nist": ["DE.AE"]} known_false_positives = Segmentation faults may occur due to other causes, so this search may produce false positives providing_technologies = null @@ -461,7 +461,7 @@ asset_type = Endpoint confidence = medium explanation = On March 24th, 2022, Splunk published a security advisory for a possible Denial of Service stemming from the lack of validation in a specific key-value field in the Splunk-to-Splunk (S2S) protocol. This detection will alert on attempted exploitation in patched versions of Splunk. how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will only find attempted exploitation on versions of Splunk already patched for CVE-2021-3422. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1498"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1498"], "nist": ["DE.CM"]} known_false_positives = None. providing_technologies = null @@ -471,7 +471,7 @@ asset_type = endpoint confidence = medium explanation = This hunting search provides information on detecting a vulnerability In Splunk Enterprise versions lower than 8.1.14, 8.2.12, 9.0.6, and 9.1.1, an attacker can use the printf SPL function to perform a denial of service against the Splunk Enterprise instance. how_to_implement = This search requires the ability to search internal indexes. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1499.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499.004"], "nist": ["DE.AE"]} known_false_positives = This search may produces false positives, analyst most focuse in the use of printf conversion function of eval to craft an expression that splunkd cannot interpret correctly causing it to crash. providing_technologies = null @@ -481,7 +481,7 @@ asset_type = endpoint confidence = medium explanation = A low-privilege user who holds a role that has the edit_user capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests. how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover abuse of edit_user privilege. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} known_false_positives = This search may produce false positives as password changing actions may be part of normal behavior. Operator will need to investigate these actions in order to discern exploitation attempts. providing_technologies = null @@ -491,7 +491,7 @@ asset_type = Endpoint confidence = medium explanation = This search allows operator to identify Splunk search app crashes resulting from specially crafted ZIP file using file monitoring that affects UF versions 8.1.11 and 8.2 versions below 8.2.7.1. It is not possible to detect Zip Bomb attack before crash. This search will provide Universal Forwarder errors from uploaded binary files (zip compression) which are used for this attack. If an analyst sees results from this search we suggest you investigate and triage what zip file was uploaded, zip compressed files may have different extensions. how_to_implement = Need to monitor Splunkd data from Universal Forwarders. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} known_false_positives = This search may reveal non malicious zip files causing errors as well. providing_technologies = null @@ -501,7 +501,7 @@ asset_type = Splunk Server confidence = medium explanation = In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store KV Store improperly handles permissions for users using the REST application programming interface (API). This can potentially result in the deletion of KV Store collections. how_to_implement = Requires access to internal indexes and REST API enabled instances. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} known_false_positives = This is a hunting search and will produce false positives. Operator must follow results into instances where curl requests coming from actual users may indicate intent of exploitation. providing_technologies = null @@ -511,7 +511,7 @@ asset_type = Splunk Server confidence = medium explanation = In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splunk Enterprise does not correctly sanitize path input data resulting in the unsafe deserialization of untrusted data. This vulnerability only affects Splunk Enterprise for Windows. how_to_implement = Requires access to internal indexes. This detection search will display irregular path file execution, which will display exploit attempts. Only applies to Microsoft Windows Splunk versions. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} known_false_positives = Irregular path with files that may be purposely called for benign reasons may produce false positives. providing_technologies = null @@ -521,7 +521,7 @@ asset_type = Endpoint confidence = medium explanation = In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted. how_to_implement = This search requires access to internal indexes. Only affects Splunk Enterprise Security versions lower than 7.1.2. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} known_false_positives = The vulnerability requires an authenticated session and access to create an Investigation. It only affects the availability of the Investigations manager, but without the manager, the Investigations functionality becomes unusable for most users. This search gives the exact offending event. providing_technologies = null @@ -531,7 +531,7 @@ asset_type = Endpoint confidence = medium explanation = In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the Investigation. The attachment endpoint does not properly limit the size of the request which lets an attacker cause the Investigation to become inaccessible. how_to_implement = This search requires access to internal indexes, only affects Enterprise Security versions below 7.1.2. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} known_false_positives = This search will show the exact DoS event via error message and investigation id. The error however does not point exactly at the uploader as any users associated with the investigation will be affected. Operator must investigate using investigation id the possible origin of the malicious upload. Attack only affects specific investigation not the investigation manager. providing_technologies = null @@ -541,7 +541,7 @@ asset_type = endpoint confidence = medium explanation = A low-privileged user, using a specially crafted search command, can trigger an HTTP response splitting vulnerability with the rest SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including accessing restricted content such as password files. This is because the user is able to inject the rest SPL command into the q parameter of an HTTP GET web request. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will. how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This search may assist in detecting possible http response splitting exploitation attemptss. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1027.006"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027.006"], "nist": ["DE.AE"]} known_false_positives = This search may have produce false positives as malformed or erroneous requests made to this endpoint may be executed willingly or erroneously by operators. providing_technologies = null @@ -551,7 +551,7 @@ asset_type = Endpoint confidence = medium explanation = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, when the INGEST\\_EVAL parameter is improperly formatted, it crashes splunkd. This hunting search provides the user, timing and number of times the crashing command was executed. how_to_implement = Requires access to audittrail and use of Splunk_Audit.Search_Activity datamodel. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} known_false_positives = This is a hunting search it should be focused on affected products, otherwise it is likely to produce false positives. providing_technologies = null @@ -561,7 +561,7 @@ asset_type = Splunk Server confidence = medium explanation = In Splunk Add-on Builder versions below 4.1.4, the application writes sensitive information to its internal log files when you visit the Splunk Add-on Builder or when you build or edit a custom app or add-on. how_to_implement = This search should be run on search heads where Splunk Add-on Builder may be installed. The results of this search will conclusively show whether or not a vulnerable version of Splunk Add-on Builder is currently installed. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1082"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.AE"]} known_false_positives = This search is highly specific for vulnerable versions of Splunk Add-on Builder. There are no known false positives. providing_technologies = null @@ -571,7 +571,7 @@ asset_type = Endpoint confidence = medium explanation = This search will enumerate all Splunk Accounts with administrative rights on this instance. It deliberately ignores the default admin account since this is assumed to be present. This search may help in a detection the Cross-Site Scripting Attack listed: In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the 'layoutPanel' attribute in the 'module' tag. The vulnerability affects instances with Splunk Web enabled. how_to_implement = The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (the `dispatch_rest_to_indexers` capability) in some architectures. If there have been admin account, in addition to the standard admin account, intentionally created on this server, then edit the filter macro to exclude them. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} known_false_positives = It is not possible to discern from the user table whether or not users with admin rights have been created intentionally, accidentally, or as a result of exploitation. Each user with these rights should be investigated and, if legitimate, added to the filter macro above. If a user is not believed to be legitimate, then further investigation should take place. providing_technologies = null @@ -581,7 +581,7 @@ asset_type = endpoint confidence = medium explanation = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user who holds the user role can see the hashed version of the initial user name and password for the Splunk instance by using the rest SPL command against the conf-user-seed REST endpoint. This can lead to a privilege escalation that lets the user take over the admin account on the instance. how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover attempts to access con-user-seed file content. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1212"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.AE"]} known_false_positives = This search may produce false positives as accounts with high privileges may access this file. Operator will need to investigate these actions in order to discern exploitation attempts. providing_technologies = null @@ -591,7 +591,7 @@ asset_type = endpoint confidence = medium explanation = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user with access to the Splunk App for Lookup File Editing can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory, including but not limited to the password hash file for the instance. how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1083"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.AE"]} known_false_positives = This search may find additional path traversal exploitation attempts or malformed requests. providing_technologies = null @@ -601,7 +601,7 @@ asset_type = Endpoint confidence = medium explanation = In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions below 9.0. This search provides information on what user may have potentially added a malicious payload and what users were exposed to it. how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} known_false_positives = This is a hunting search, it will not deobfuscate base64 payload, it provides however it will provide what user added the view artifact and what user opened it. It will require further investigation based on the information presented by this hunting search. providing_technologies = null @@ -611,7 +611,7 @@ asset_type = endpoint confidence = medium explanation = In Splunk Enterprise versions below 9.0.4, 8.2.10, and 8.1.13, a low-privileged user can bypass URL validation to perform a path traversal and access restricted and confidential information by targeting other users on the instance, including the admin user. The only affected version of bootstrap which shipped with Splunk was version 2.3.1, so the search is targeted at that version alone. how_to_implement = This search does not require additional data to be ingested. This search requires ability to search _internal index. This search helps discover access to vulnerable bootstrap versions. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} known_false_positives = This search will produce numerous false positives as it shows ANY accesses to vulnerable bootstrap Javascript files. Accesses to these files occur during normal Splunk usage. To reduce or eliminate false positives, update the a version of Splunk which has addressed the vulnerability. providing_technologies = null @@ -621,7 +621,7 @@ asset_type = Endpoint confidence = medium explanation = On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. This hunting search pulls a full list of forwarder bundle downloads where the peer column is the forwarder, the host column is the Deployment Server, and then you have a list of the apps downloaded and the serverclasses in which the peer is a member of. You should look for apps or clients that you do not recognize as being part of your environment. how_to_implement = This hunting search uses native logs produced when a deployment server is within your environment. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.AE"]} known_false_positives = None at this time. providing_technologies = null @@ -631,7 +631,7 @@ asset_type = Endpoint confidence = medium explanation = On June 14th, 2022, Splunk released a security advisory relating to TLS validation occuring within the httplib and urllib python libraries shipped with Splunk. In addition to upgrading to Splunk Enterprise 9.0 or later, several configuration settings need to be set. This search will check those configurations on the search head it is run from as well as its search peers. In addition to these settings, the PYTHONHTTPSVERIFY setting in $SPLUNK_HOME/etc/splunk-launch.conf needs to be enabled as well. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked. how_to_implement = The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (The `dispatch_rest_to_indexers` capability). Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1001.003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1001.003"], "nist": ["DE.AE"]} known_false_positives = While all of the settings on each device returned by this search may appear to be hardened, you will still need to verify the value of PYTHONHTTPSVERIFY in $SPLUNK_HOME/etc/splunk-launch.conf on each device in order to harden the python configuration. providing_technologies = null @@ -641,7 +641,7 @@ asset_type = Endpoint confidence = medium explanation = On June 14th 2022, Splunk released vulnerability advisory addresing Python TLS validation which was not set before Splunk version 9. This search displays events showing WARNING of using Splunk issued default selfsigned certificates. how_to_implement = Must upgrade to Splunk version 9 and Configure TLS in order to apply this search. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1588.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.004"], "nist": ["DE.AE"]} known_false_positives = This searches finds self signed certificates issued by Splunk which are not recommended from Splunk version 9 forward. providing_technologies = null @@ -651,7 +651,7 @@ asset_type = Endpoint confidence = medium explanation = On Splunk version 9 on Python3 client libraries verify server certificates by default and use CA certificate store. This search warns a user about a failure to validate a certificate using python3 request. how_to_implement = Must upgrade to Splunk version 9 and Configure TLS host name validation for Splunk Python modules in order to apply this search. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1588.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.004"], "nist": ["DE.AE"]} known_false_positives = This search tries to address validation of server and client certificates within Splunk infrastructure, it might produce results from accidental or unintended requests to port 8089. providing_technologies = null @@ -661,7 +661,7 @@ asset_type = endpoint confidence = medium explanation = An unauthorized user can use the /services/indexing/preview REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job. how_to_implement = This search does not require additional data ingestion. It requires the ability to search _internal index. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1134"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134"], "nist": ["DE.AE"]} known_false_positives = This is a hunting search which provides verbose results against this endpoint. Operator must consider things such as IP address, useragent and user(specially low privelege) and host to investigate possible attack. providing_technologies = null @@ -671,7 +671,7 @@ asset_type = Endpoint confidence = medium explanation = In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code. The exploit requires the use of the 'collect' SPL command which writes a file within the Splunk Enterprise installation. The attacker can then use this file to submit a serialized payload that can result in execution of code within the payload. Please refer to the following URL for additional information on these disclosures - https://advisory.splunk.com how_to_implement = Requires access to the _audit index. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} known_false_positives = There are numerous many uses of the 'makeresults' and 'collect' SPL commands. Please evaluate the results of this search for potential abuse. providing_technologies = null @@ -681,7 +681,7 @@ asset_type = Endpoint confidence = medium explanation = This hunting search provides information on possible exploitation attempts against Splunk Secure Gateway App Mobile Alerts feature in Splunk versions 9.0, 8.2.x, 8.1.x. An authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app. how_to_implement = This search only applies if Splunk Mobile Gateway is deployed in the vulnerable Splunk versions. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} known_false_positives = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. Focus of this search is "uri_path=/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*" which is the injection point. providing_technologies = null @@ -691,7 +691,7 @@ asset_type = endpoint confidence = medium explanation = This search provides information to investigate possible remote code execution exploitation via user-supplied Extensible Stylesheet Language Transformations (XSLT), affecting Splunk versions 9.1.x. how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} known_false_positives = This search will provide information for investigation and hunting possible abuse of user-supplied XSLT. There may be false positives and results should individually evaluated. Please evaluate the source IP and useragent responsible for creating the requests. providing_technologies = null @@ -701,7 +701,7 @@ asset_type = Endpoint confidence = medium explanation = Splunk versions below 8.1.12,8.2.9 and 9.0.2 are vulnerable to reflected cross site scripting (XSS). A View allows for a Reflected Cross Site scripting via JavaScript Object Notation (JSON) in a query parameter when ouput_mode=radio. how_to_implement = This vulnerability only affects instances with Splunk Web enabled. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} known_false_positives = This search may produce false positives as it is difficult to pinpoint all possible XSS injection characters in a single search string. Special attention is required to "en-US/list/entities/x/ui/views" which is the vulnerable injection point. providing_technologies = null @@ -711,7 +711,7 @@ asset_type = endpoint confidence = medium explanation = In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting XSS on the app search table web endpoint, which presents as the Create Table View page in Splunk Web. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance. A JavaScript file within this web endpoint does not properly validate input which lets an attacker insert a payload into a function. how_to_implement = Need access to the internal indexes. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} known_false_positives = This search will produce false positives. It is necessary to also look at uri_query parameter to determine the possible malicious intention of inserting makeresults within the uri string. providing_technologies = null @@ -721,7 +721,7 @@ asset_type = Splunk Server confidence = medium explanation = This search looks for a variety of high-risk commands throughout a number of different Splunk Vulnerability Disclosures. Please refer to the following URL for additional information on these disclosures - https://advisory.splunk.com how_to_implement = Requires implementation of Splunk_Audit.Search_Activity datamodel. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548", "T1202"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548", "T1202"], "nist": ["DE.AE"]} known_false_positives = This search encompasses many commands. providing_technologies = null @@ -731,7 +731,7 @@ asset_type = Endpoint confidence = medium explanation = Splunk Enterprise versions 8.1.12, 8.2.9, 9.0.2 are vulnerable to persistent cross site scripting via Data Model object name. An authenticated user can inject and store arbitrary scripts that can lead to persistent cross-site scripting (XSS) in the object name Data Model. how_to_implement = This vulnerability only affects Splunk Web enabled instances. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} known_false_positives = This search may produce false positives and does not cover exploitation attempts via code obfuscation, focus of search is suspicious requests against "/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel/model" which is the injection point. providing_technologies = null @@ -741,7 +741,7 @@ asset_type = Endpoint confidence = medium explanation = An attacker can use a specially crafted web URL in their browser to cause log file injection, in which the attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes. The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to successfully execute. This following analytic detects potential log injection attempts into the Splunk server. how_to_implement = This only affects web enabled Splunk instances. The detection does require the ability to search the _internal index. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} known_false_positives = This hunting search will produce false positives if ANSI escape characters are included in URLs either voluntarily or by accident. This search will not detect obfuscated ANSI characters. providing_technologies = null @@ -751,7 +751,7 @@ asset_type = Endpoint confidence = medium explanation = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table uploads let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now only be one of .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gz. This search provides user activity focus on uploads which aims to help hunt for malicious file uploads. how_to_implement = Requires access to internal splunkd_access. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} known_false_positives = This is a hunting search, the search provides information on upload, edit, and delete activity on Lookup Tables. Manual investigation is necessary after executing search. This search will produce false positives as payload cannot be directly discerned. providing_technologies = null @@ -761,7 +761,7 @@ asset_type = endpoint confidence = medium explanation = On May 3rd, 2022, Splunk published a security advisory for username enumeration stemming from verbose login failure messages present on some REST endpoints. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk. how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to find password spraying or brute force authorization attempts in addition to someone enumerating usernames. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} known_false_positives = Automation executing authentication attempts against your Splunk infrastructure with outdated credentials may cause false positives. providing_technologies = null @@ -771,7 +771,7 @@ asset_type = endpoint confidence = medium explanation = This detection provides information about possible exploitation against affected versions of Splunk Enterprise 9.1.2. The ability to view JSON logs in the web GUI may be abused by crafting a specific request, causing the execution of javascript in script tags. This vulnerability can be used to execute javascript to access the API at the permission level of the logged-in user. If user is admin it can be used to create an admin user, giving an attacker broad access to the Splunk Environment. how_to_implement = This search only applies to web-GUI-enabled Splunk instances and operator must have access to internal indexes. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} known_false_positives = This is a hunting search and will produce false positives as it is not possible to view contents of a request payload. It shows the artifact resulting from a potential exploitation payload (the creation of a user with admin privileges). providing_technologies = null @@ -781,7 +781,7 @@ asset_type = Endpoint confidence = medium explanation = On May 3rd, 2022, Splunk published a security advisory for a reflective Cross-Site Scripting (XSS) vulnerability stemming from the lack of input validation in the Distributed Monitoring Console app. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk. how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will find attempted exploitation of CVE-2022-27183. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} known_false_positives = Use of the monitoring console where the less-than sign (<) is the first character in the description field. providing_technologies = null @@ -791,7 +791,7 @@ asset_type = Endpoint confidence = medium explanation = This is a hunting search to find persistent cross-site scripting XSS code that was included while inputing data in 'Save Table' dialog in Splunk Enterprise (8.1.12,8.2.9,9.0.2). A remote user with "power" Splunk role can store this code that can lead to persistent cross site scripting. how_to_implement = Watch for POST requests combined with XSS script strings or obfuscation against the injection point /en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} known_false_positives = If host is vulnerable and XSS script strings are inputted they will show up in search. Not all Post requests are malicious as they will show when users create and save dashboards. This search may produce several results with non malicious POST requests. Only affects Splunk Web enabled instances. providing_technologies = null @@ -801,7 +801,7 @@ asset_type = Endpoint confidence = medium explanation = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the 'layoutPanel' attribute in the 'module' tag. The vulnerability affects instances with Splunk Web enabled. This hunting search shows users action, application and role used for creating views related to this vulnerability. how_to_implement = This data is collected by default in Splunk. Upon first enabling this rule, a number of errors may be observed. Those that are due to improperly formatted, but non-nefarious, XML views should be be remedied in the corresponding view. Please take care investigating potential XSS as accessing an affected page could retrigger the exploit. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} known_false_positives = The error detected above can be generated for a wide variety of improperly formatted XML views. There will be false positives as the search cannot extract the malicious payload and the view should be manually investigated. providing_technologies = null @@ -813,7 +813,7 @@ explanation = The following analytic detects emails that contain attachments wit how_to_implement = You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. \ **Splunk Phantom Playbook Integration**\ If Splunk Phantom is also configured in your environment, a Playbook called "Suspicious Email Attachment Investigate and Delete" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, and add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} known_false_positives = None identified providing_technologies = null @@ -833,7 +833,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic detects suspicious processes on systems labeled as web servers. This detection is made by a Splunk query that searches for specific process names that might indicate malicious activity. These suspicious processes include "whoami", "ping", "iptables", "wget", "service", and "curl". Uses the Splunk data model "Endpoint.Processes" and filters the results to only include systems categorized as web servers. This detection is important because it indicates unauthorized or malicious activity on web servers since these processes are commonly used by attackers to perform reconnaissance, establish persistence, or exfiltrate data from compromised systems. The impact of such an attack can be significant, ranging from data theft to the deployment of additional malicious payloads, potentially leading to ransomware or other damaging outcomes. False positives might occur since the legitimate use of these processes on web servers can trigger the analytic. Next steps include triaging and investigating to determine the legitimacy of the activity. Also, review the source and command of the suspicious process. You must also examine any relevant on-disk artifacts and look for concurrent processes to identify the source of the attack. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1082"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.CM"]} known_false_positives = Some of these processes may be used legitimately on web servers during maintenance or other administrative tasks. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -843,7 +843,7 @@ asset_type = AWS Instance confidence = medium explanation = This search will detect a spike in the number of API calls made to your cloud infrastructure environment by a user. how_to_implement = You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Infrastructure API Calls Per User` to create the probability density function. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} known_false_positives = providing_technologies = null @@ -853,7 +853,7 @@ asset_type = Cloud Instance confidence = medium explanation = This search finds for the number successfully destroyed cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers. how_to_implement = You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Destroyed` to create the probability density function. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} known_false_positives = Many service accounts configured within a cloud infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. providing_technologies = null @@ -863,7 +863,7 @@ asset_type = Cloud Instance confidence = medium explanation = This search finds for the number successfully created cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers. how_to_implement = You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Launched` to create the probability density function. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} known_false_positives = Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. providing_technologies = null @@ -873,7 +873,7 @@ asset_type = AWS Instance confidence = medium explanation = This search will detect a spike in the number of API calls made to your cloud infrastructure environment about security groups by a user. how_to_implement = You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Security Group API Calls Per User` to create the probability density function model. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} known_false_positives = providing_technologies = null @@ -883,7 +883,7 @@ asset_type = Amazon EKS Kubernetes cluster confidence = medium explanation = This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster in AWS how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudWatch EKS Logs inputs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} known_false_positives = Not all unauthenticated requests are malicious, but frequency, UA and source IPs will provide context. providing_technologies = null @@ -893,7 +893,7 @@ asset_type = Amazon EKS Kubernetes cluster Pod confidence = medium explanation = The following analytic detects unauthenticated requests made against the Kubernetes' Pods API through proactive monitoring to protect the Kubernetes environment from unauthorized access and potential security breaches. The detection is made by using the Splunk query `aws_cloudwatchlogs_eks` with specific filters to identify these requests. Identifies events where the `user.username` is set to "system:anonymous", the `verb` is set to "list", and the `objectRef.resource` is set to "pods". Additionally, the search checks if the `requestURI` is equal to "/api/v1/pods". Analyzing these events helps you to identify any unauthorized access attempts to the Kubernetes' Pods API. Unauthenticated requests can indicate potential security breaches or unauthorized access to sensitive resources within the Kubernetes environment. The detection is important because unauthorized access to Kubernetes' Pods API can lead to the compromise of sensitive data, unauthorized execution of commands, or even the potential for lateral movement within the Kubernetes cluster. False positives might occur since there might be legitimate use cases for unauthenticated requests in certain scenarios. Therefore, you must review and validate any detected events before taking any action. Next steps include investigating the incident to mitigate any ongoing threats, and strengthening the security measures to prevent future unauthorized access attempts. how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` macro to filter out the false positives. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} known_false_positives = Not all unauthenticated requests are malicious, but frequency, UA and source IPs and direct request to API provide context. providing_technologies = null @@ -903,7 +903,7 @@ asset_type = AWS Account confidence = medium explanation = The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1185"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.AE"]} known_false_positives = A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. providing_technologies = null @@ -913,7 +913,7 @@ asset_type = AWS Account confidence = medium explanation = This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting. how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. providing_technologies = null @@ -923,7 +923,7 @@ asset_type = AWS Account confidence = medium explanation = This analytic identifies AWS `DeleteTrail` events within CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their malicious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may delete the the entire cloudtrail that is logging activities in the environment. how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} known_false_positives = While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity. providing_technologies = null @@ -933,7 +933,7 @@ asset_type = AWS Account confidence = medium explanation = This analytic identifies AWS `DeleteLogGroup` events in CloudTrail logs. Attackers may evade the logging capability by deleting the log group in CloudWatch. This will stop sending the logs and metrics to CloudWatch. When the adversary has the right type of permissions within the compromised AWS environment, they may delete the CloudWatch log group that is logging activities in the environment. how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} known_false_positives = While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity. providing_technologies = null @@ -943,7 +943,7 @@ asset_type = AWS Account confidence = medium explanation = This analytic looks for several delete specific API calls made to AWS Security Services like CloudWatch, GuardDuty and Web Application Firewalls. These API calls are often leveraged by adversaries to weaken existing security defenses by deleting logging configurations in the CloudWatch alarm, delete a set of detectors from your Guardduty environment or simply delete a bunch of CloudWatch alarms to remain stealthy and avoid detection. how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} known_false_positives = While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. providing_technologies = null @@ -953,7 +953,7 @@ asset_type = AWS Account confidence = medium explanation = This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment. how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} known_false_positives = While this search has no known false positives. providing_technologies = null @@ -963,7 +963,7 @@ asset_type = AWS Account confidence = medium explanation = The following detection identifes when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy. how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only. providing_technologies = null @@ -973,7 +973,7 @@ asset_type = AWS Account confidence = medium explanation = The following analytic identifies an attempt to disable multi-factor authentication for an AWS IAM user. An adversary who has obtained access to an AWS tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"]} known_false_positives = AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company providing_technologies = null @@ -983,7 +983,7 @@ asset_type = AWS Account confidence = medium explanation = The following analytic identifies the registration of a new Multi Factor authentication method for an AWS account logged through Amazon Secruity Lake (ASL). Adversaries who have obtained unauthorized access to an AWS account may register a new MFA method to maintain persistence. how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} known_false_positives = Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. providing_technologies = null @@ -993,7 +993,7 @@ asset_type = AWS Account confidence = medium explanation = This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised. how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately triggered an AWS audit tool activity which may trigger this event. providing_technologies = null @@ -1003,7 +1003,7 @@ asset_type = EC2 Snapshot confidence = medium explanation = This search looks for suspicious AWS AMI attribute modifications, such as sharing it with another AWS account or making the full AMI image public. Adversaries are known to abuse these APIs to exfiltrate sensitive organization information stored in the AWS Resources, there by its very important to monitor these seemingly benign API activity in Cloudtrail logs. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} known_false_positives = It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1013,7 +1013,7 @@ asset_type = AWS Account confidence = medium explanation = The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. how_to_implement = You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} known_false_positives = A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1023,7 +1023,7 @@ asset_type = AWS Account confidence = medium explanation = The following analytic identifies an authentication attempt event against an AWS Console that fails during the Multi Factor Authentication challenge. AWS Cloudtrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. how_to_implement = The Splunk AWS Add-on is required to utilize this data. The search requires AWS Cloudtrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1621"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1621"], "nist": ["DE.CM"]} known_false_positives = Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1033,7 +1033,7 @@ asset_type = AWS Account confidence = medium explanation = This search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.CM"]} known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources and you must verify this activity. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1043,7 +1043,7 @@ asset_type = AWS Account confidence = medium explanation = This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.AE"]} known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1053,7 +1053,7 @@ asset_type = AWS Account confidence = medium explanation = This search looks for AWS CloudTrail events where a user A(victim A) creates a login profile for user B, followed by a AWS Console login event from user B from the same src_ip as user B. This correlated event can be indicative of privilege escalation since both events happened from the same src_ip how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created a login profile for another user. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1063,7 +1063,7 @@ asset_type = AWS Account confidence = medium explanation = It shows that there have been an unsuccessful attempt to log in using the user identity to the AWS management console. Since the user identity has access to AWS account services and resources, an attacker might try to brute force the password for that identity. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.CM"]} known_false_positives = Users may genuinely mistype or forget the password. providing_technologies = null @@ -1073,7 +1073,7 @@ asset_type = AWS Account confidence = medium explanation = This detection analytic identifies more than 10 GetPasswordData API calls made to your AWS account with a time window of 5 minutes. Attackers can retrieve the encrypted administrator password for a running Windows instance. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We encourage the users to adjust the values of `distinct_instance_ids` and tweak the `span` value according to their environment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.AE"]} known_false_positives = Administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1083,7 +1083,7 @@ asset_type = AWS Account confidence = medium explanation = The master user password for Amazon RDS DB instance can be reset using the Amazon RDS console. Using this technique, the attacker can get access to the sensitive data from the DB. Usually, the production databases may have sensitive data like Credit card information, PII, Health care Data. This event should be investigated further. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110"], "nist": ["DE.CM"]} known_false_positives = Users may genuinely reset the RDS password. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1103,7 +1103,7 @@ asset_type = AWS Account confidence = medium explanation = This analytic identifies AWS `DeleteTrail` events within CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their malicious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may delete the the entire cloudtrail that is logging activities in the environment. how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} known_false_positives = While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1113,7 +1113,7 @@ asset_type = AWS Account confidence = medium explanation = This analytic identifies AWS `DeleteLogGroup` events in CloudTrail logs. Attackers may evade the logging capability by deleting the log group in CloudWatch. This will stop sending the logs and metrics to CloudWatch. When the adversary has the right type of permissions within the compromised AWS environment, they may delete the CloudWatch log group that is logging activities in the environment. how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} known_false_positives = While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1123,7 +1123,7 @@ asset_type = AWS Account confidence = medium explanation = This analytic looks for several delete specific API calls made to AWS Security Services like CloudWatch, GuardDuty and Web Application Firewalls. These API calls are often leveraged by adversaries to weaken existing security defenses by deleting logging configurations in the CloudWatch alarm, delete a set of detectors from your Guardduty environment or simply delete a bunch of CloudWatch alarms to remain stealthy and avoid detection. how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} known_false_positives = While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1133,7 +1133,7 @@ asset_type = AWS Account confidence = medium explanation = This analytic identifies `PutBucketLifecycle` events in CloudTrail logs where a user has created a new lifecycle rule for an S3 bucket with a short expiration period. Attackers may use this API call to impair the CloudTrail logging by removing logs from the S3 bucket by changing the object expiration day to 1 day, in which case the CloudTrail logs will be deleted. how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. We recommend our users to set the expiration days value according to your company's log retention policies. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} known_false_positives = While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1143,7 +1143,7 @@ asset_type = AWS Account confidence = medium explanation = This analytic identifies `StopLogging` events in CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their macliious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may easily stop logging. how_to_implement = You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} known_false_positives = While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1153,7 +1153,7 @@ asset_type = AWS Account confidence = medium explanation = This analytic identifies `UpdateTrail` events in CloudTrail logs. Attackers may evade the logging capability by updating the settings and impairing them with wrong parameters. For example, Attackers may change the multi-regional log into a single region logs, which evades the logging for other regions. When the adversary has the right type of permissions in the compromised AWS environment, they may update the CloudTrail settings that is logging activities in your environment. how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} known_false_positives = While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1163,7 +1163,7 @@ asset_type = AWS Account confidence = medium explanation = This search provides detection of an user attaching itself to a different role trust policy. This can be used for lateral movement and escalation of privileges. how_to_implement = You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} known_false_positives = Attach to policy can create a lot of noise. This search can be adjusted to provide specific values to identify cases of abuse (i.e status=failure). The search can provide context for common users attaching themselves to higher privilege policies or even newly created policies. providing_technologies = null @@ -1173,7 +1173,7 @@ asset_type = AWS Account confidence = medium explanation = This search provides detection of accounts creating permanent keys. Permanent keys are not created by default and they are only needed for programmatic calls. Creation of Permanent key is an important event to monitor. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} known_false_positives = Not all permanent key creations are malicious. If there is a policy of rotating keys this search can be adjusted to provide better context. providing_technologies = null @@ -1183,7 +1183,7 @@ asset_type = AWS Account confidence = medium explanation = This search provides detection of role creation by IAM users. Role creation is an event by itself if user is creating a new role with trust policies different than the available in AWS and it can be used for lateral movement and escalation of privileges. how_to_implement = You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} known_false_positives = CreateRole is not very common in common users. This search can be adjusted to provide specific values to identify cases of abuse. In general AWS provides plenty of trust policies that fit most use cases. providing_technologies = null @@ -1193,7 +1193,7 @@ asset_type = AWS Account confidence = medium explanation = This search provides detection of suspicious use of sts:AssumeRole. These tokens can be created on the go and used by attackers to move laterally and escalate privileges. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} known_false_positives = Sts:AssumeRole can be very noisy as it is a standard mechanism to provide cross account and cross resources access. This search can be adjusted to provide specific values to identify cases of abuse. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1203,7 +1203,7 @@ asset_type = AWS Account confidence = medium explanation = This search provides detection of suspicious use of sts:GetSessionToken. These tokens can be created on the go and used by attackers to move laterally and escalate privileges. how_to_implement = You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1550"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.AE"]} known_false_positives = Sts:GetSessionToken can be very noisy as in certain environments numerous calls of this type can be executed. This search can be adjusted to provide specific values to identify cases of abuse. In specific environments the use of field requestParameters.serialNumber will need to be used. providing_technologies = null @@ -1213,7 +1213,7 @@ asset_type = AWS Account confidence = medium explanation = This search provides detection of KMS keys where action kms:Encrypt is accessible for everyone (also outside of your organization). This is an indicator that your account is compromised and the attacker uses the encryption key to compromise another company. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1223,7 +1223,7 @@ asset_type = S3 Bucket confidence = medium explanation = This search provides detection of users with KMS keys performing encryption specifically against S3 buckets. how_to_implement = You must install Splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} known_false_positives = There maybe buckets provisioned with S3 encryption providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1233,7 +1233,7 @@ asset_type = AWS Account confidence = medium explanation = The following analytic detects AWS cloudtrail events where bucket versioning is suspended by a user. Versioning allows the AWS Administrators to maintain different version of the S3 bucket which can be used to recover deleted data. Adversaries have leveraged this technique in the wild during a ransomware incident to disable versioning so the client cannot recover the data. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1490"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.AE"]} known_false_positives = It is possible that an AWS Administrator has legitimately disabled versioning on certain buckets to avoid costs. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1243,7 +1243,7 @@ asset_type = EC2 Snapshot confidence = medium explanation = The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} known_false_positives = It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1253,7 +1253,7 @@ asset_type = AWS Account confidence = medium explanation = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1263,7 +1263,7 @@ asset_type = AWS Account confidence = medium explanation = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1273,7 +1273,7 @@ asset_type = AWS Account confidence = medium explanation = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1283,7 +1283,7 @@ asset_type = AWS Account confidence = medium explanation = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done during business hours. When done outside business hours, we want to take a look into it. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} known_false_positives = When your development is spreaded in different time zones, applying this rule can be difficult. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1293,7 +1293,7 @@ asset_type = AWS Account confidence = medium explanation = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done from only a few known users. When the user was never seen before, we should have a closer look into the event. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1303,7 +1303,7 @@ asset_type = AWS Account confidence = medium explanation = This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} known_false_positives = While this search has no known false positives. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1313,7 +1313,7 @@ asset_type = AWS Account confidence = medium explanation = This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 in a 10 minute time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by "count" "user_type" "user_arn" and detects anomaly based on the frequencies. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1119"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.AE"]} known_false_positives = It is possible that a user downloaded these files to use them locally and there are AWS services in configured that perform these activities for a legitimate reason. Filter is needed. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1323,7 +1323,7 @@ asset_type = AWS Account confidence = medium explanation = This search looks for events where AWS Batch Service is used for creating a job that could potentially abuse the AWS Bucket Replication feature on S3 buckets. This AWS service can used to transfer data between different AWS S3 buckets and an attacker can leverage this to exfiltrate data by creating a malicious batch job. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1119"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.CM"]} known_false_positives = It is possible that an AWS Administrator or a user has legitimately created this job for some tasks. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1334,7 +1334,7 @@ confidence = medium explanation = The following analytic detects API calls made to an S3 bucket when bucket replication services are enabled. S3 bucket replication is a feature offered by Amazon Web Services (AWS) that allows you to automatically and asynchronously copy data from one S3 bucket to another in the same or different region.\ S3 bucket replication can also be used for cross-account replication, where data is replicated from a source bucket owned by one AWS account to a destination bucket owned by a different AWS account. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} known_false_positives = It is possible that an AWS admin has legitimately implemented data replication to ensure data availability and improve data protection/backup strategies. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1344,7 +1344,7 @@ asset_type = AWS Account confidence = medium explanation = This search looks for potential misuse of an AWS service known as DataSync. This AWS service is used to transfer data between different AWS cloud storage services, such as Amazon S3, Amazon EFS, and Amazon FSx for Windows File Server. Attackers can create a task in AWS to periodically copy data from a private AWS location to a public location resulting in the compromise of the data. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1119"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.CM"]} known_false_positives = It is possible that an AWS Administrator has legitimately created this task for creating backup. Please check the `sourceLocationArn` and `destinationLocationArn` of this task providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1354,7 +1354,7 @@ asset_type = EC2 Snapshot confidence = medium explanation = This search detects a series of AWS API calls, made in a short time window, related to EC2 snapshots that can detect a potential exfiltration via EC2 Snapshot modifications. In this attack, the attacker typically proceeds by listing and creating EC2 snapshots of the available EC2 instances followed by modifying snapshot attributes such that it can be shared externally. Once this is done, the attacker can then load that EC2 snapshot and access all the sensitive information. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We have intentionally removed `guardduty.amazonaws.com` from src_ip to remove false positives caused by guard duty. We recommend you adjust the time window as per your environment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} known_false_positives = It is possible that an AWS admin has legitimately shared a snapshot with an other account for a specific purpose. Please check any recent change requests filed in your organization. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1364,7 +1364,7 @@ asset_type = AWS Account confidence = medium explanation = The following analytic identifies an AWS account with more than 20 failed authentication events in the span of 5 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection. how_to_implement = You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} known_false_positives = A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1374,7 +1374,7 @@ asset_type = AWS Account confidence = medium explanation = The following analytic identifies an IP address failing to authenticate 20 or more times to the AWS Web Console in the span of 5 minutes. This behavior could represent a brute force attack against an AWS tenant to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection. how_to_implement = You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} known_false_positives = An Ip address with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1384,7 +1384,7 @@ asset_type = AWS Account confidence = medium explanation = The following detection identifies excessive AccessDenied events within an hour timeframe. It is possible that an access key to AWS may have been stolen and is being misused to perform discovery events. In these instances, the access is not available with the key stolen therefore these events will be generated. how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1580"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1580"], "nist": ["DE.AE"]} known_false_positives = It is possible to start this detection will need to be tuned by source IP or user. In addition, change the count values to an upper threshold to restrict false positives. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1394,7 +1394,7 @@ asset_type = AWS Account confidence = medium explanation = The following detection identifies any malformed policy document exceptions with a status of `failure`. A malformed policy document exception occurs in instances where roles are attempted to be assumed, or brute forced. In a brute force attempt, using a tool like CloudSploit or Pacu, an attempt will look like `arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS`. Meaning, when an adversary is attempting to identify a role name, multiple failures will occur. This detection focuses on the errors of a remote attempt that is failing. how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. Set the `where count` greater than a value to identify suspicious activity in your environment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1580", "T1110"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1580", "T1110"], "nist": ["DE.CM"]} known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1404,7 +1404,7 @@ asset_type = AWS Account confidence = medium explanation = The following detection identifes when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy. how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1414,7 +1414,7 @@ asset_type = AWS Account confidence = medium explanation = This detection identifies failure attempts to delete groups. We want to identify when a group is attempting to be deleted, but either access is denied, there is a conflict or there is no group. This is indicative of administrators performing an action, but also could be suspicious behavior occurring. Review parallel IAM events - recently added users, new groups and so forth. how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1424,7 +1424,7 @@ asset_type = AWS Account confidence = medium explanation = The following query uses IAM events to track the success of a group being deleted on AWS. This is typically not indicative of malicious behavior, but a precurser to additional events thay may unfold. Review parallel IAM events - recently added users, new groups and so forth. Inversely, review failed attempts in a similar manner. how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1069.003", "T1098", "T1069"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1069.003", "T1098", "T1069"], "nist": ["DE.AE"]} known_false_positives = This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1434,7 +1434,7 @@ asset_type = AWS Account confidence = medium explanation = This analytic is designed to detect IAM users attempting to update/modify AWS lambda code via the AWS CLI to gain persistence, futher access into your AWS environment and to facilitate planting backdoors. In this instance, an attacker may upload malicious code/binary to a lambda function which will be executed automatically when the funnction is triggered. how_to_implement = You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} known_false_positives = While this search has no known false positives, it is possible that an AWS admin or an autorized IAM user has updated the lambda fuction code legitimately. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1444,7 +1444,7 @@ asset_type = AWS Account confidence = medium explanation = The following analytic identifies an attempt to disable multi-factor authentication for an AWS IAM user. An adversary who has obtained access to an AWS tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. how_to_implement = The Splunk AWS Add-on is required to utilize this data. The search requires AWS Cloudtrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"]} known_false_positives = AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1454,7 +1454,7 @@ asset_type = AWS Account confidence = medium explanation = The following analytic identifies multiple failed multi-factor authentication requests to an AWS Console for a single user. AWS Cloudtrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. AWS Environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. how_to_implement = The Splunk AWS Add-on is required to utilize this data. The search requires AWS Cloudtrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1621"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1621"], "nist": ["DE.AE"]} known_false_positives = Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1464,7 +1464,7 @@ asset_type = AWS Account confidence = medium explanation = The following analytic identifies one source Ip failing to authenticate into the AWS Console with 30 unique valid users within 10 minutes. This behavior could represent an adversary performing a Password Spraying attack against an AWS environment tenant to obtain initial access or elevate privileges. how_to_implement = You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} known_false_positives = No known false postives for this detection. Please review this alert providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1474,7 +1474,7 @@ asset_type = AWS Instance confidence = medium explanation = The search looks for AWS CloudTrail events to detect if any network ACLs were created with all the ports open to a specified CIDR. how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS, version 4.4.0 or later, and configure your AWS CloudTrail inputs. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} known_false_positives = It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1484,7 +1484,7 @@ asset_type = AWS Instance confidence = medium explanation = Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the AWS console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the AWS CloudTrail logs to detect users deleting network ACLs. how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.AE"]} known_false_positives = It's possible that a user has legitimately deleted a network ACL. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1494,7 +1494,7 @@ asset_type = AWS Account confidence = medium explanation = The following analytic identifies the registration of a new Multi Factor authentication method for an AWS account. Adversaries who have obtained unauthorized access to an AWS account may register a new MFA method to maintain persistence. how_to_implement = You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} known_false_positives = Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1504,7 +1504,7 @@ asset_type = AWS Account confidence = medium explanation = This search looks for AWS CloudTrail events where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised. how_to_implement = You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately triggered an AWS audit tool activity which may trigger this event. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1514,7 +1514,7 @@ asset_type = AWS Account confidence = medium explanation = This correlation search looks at the risk events created by the detection analytics related Collection and Exfiltration techniques used by adversaries. The rule is designed to identify instances where 2 or more analytics unique AWS analytics and 2 or more distinct mitre IDs has triggered for a particular risk object. This alert when triggered may indicate a potential exfiltration in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information. how_to_implement = You must enable all the detection searches in the Data Exfiltration Analytic story to create risk events in Enterprise Security. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1537"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.AE"]} known_false_positives = alse positives may be present based on automated tooling or system administrators. Filter as needed. providing_technologies = null @@ -1524,7 +1524,7 @@ asset_type = AWS Federated Account confidence = medium explanation = This search provides specific SAML access from specific Service Provider, user and targeted principal at AWS. This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} known_false_positives = Attacks using a Golden SAML or SAML assertion hijacks or forgeries are very difficult to detect as accessing cloud providers with these assertions looks exactly like normal access, however things such as source IP sourceIPAddress user, and principal targeted at receiving cloud provider along with endpoint credential access and abuse detection searches can provide the necessary context to detect these attacks. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1534,7 +1534,7 @@ asset_type = AWS Federated Account confidence = medium explanation = This search provides detection of updates to SAML provider in AWS. Updates to SAML provider need to be monitored closely as they may indicate possible perimeter compromise of federated credentials, or backdoor access from another cloud provider set by attacker. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} known_false_positives = Updating a SAML provider or creating a new one may not necessarily be malicious however it needs to be closely monitored. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1544,7 +1544,7 @@ asset_type = AWS Account confidence = medium explanation = This search looks for AWS CloudTrail events where a user has set a default policy versions. Attackers have been know to use this technique for Privilege Escalation in case the previous versions of the policy had permissions to access more resources than the current version of the policy how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.CM"]} known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately set a default policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1554,7 +1554,7 @@ asset_type = AWS Account confidence = medium explanation = The following analytic identifies an AWS account successfully authenticating from more than one unique Ip address in the span of 5 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. how_to_implement = You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail events are normalized use the Authentication datamodel. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1535"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1535"], "nist": ["DE.AE"]} known_false_positives = A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1564,7 +1564,7 @@ asset_type = AWS Account confidence = medium explanation = The following analytic identifies a successful Console Login authentication event against an AWS IAM user for an account without Multi-Factor Authentication enabled. This could be evidence of a misconfiguration, a policy violation or an account take over attempt that should be investigated how_to_implement = The Splunk AWS Add-on is required to utilize this data. The search requires AWS Cloudtrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} known_false_positives = It is possible that some accounts do not have MFA enabled for the AWS account however its agaisnt the best practices of securing AWS. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1574,7 +1574,7 @@ asset_type = AWS Account confidence = medium explanation = The following analytic identifies one source IP failing to authenticate into the AWS Console with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an AWS environment to obtain initial access or elevate privileges. The detection calculates the standard deviation for source IP and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the bucket span time and the calculation of the upperBound field. This logic can be used for real time security monitoring as well as threat hunting exercises. While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `AWS Multiple Users Failing To Authenticate From Ip`. how_to_implement = You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the calculation of the upperBound field to tune this search according to their environment -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} known_false_positives = No known false postives for this detection. Please review this alert providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1584,7 +1584,7 @@ asset_type = AWS Account confidence = medium explanation = This search looks for AWS CloudTrail events where a user A who has already permission to update login profile, makes an API call to update login profile for another user B . Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B) how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -1594,17 +1594,27 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic triggers on a high risk sign-in against Azure Active Directory identified by Azure Identity Protection. Identity Protection monitors sign-in events using heuristics and machine learning to identify potentially malicious events and categorizes them in three categories high, medium and low. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the RiskyUsers and UserRiskEvents log category in the azure:monitor:aad sourcetype. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003"], "nist": ["DE.CM"]} known_false_positives = Details for the risk calculation algorithm used by Identity Protection are unknown and may be prone to false positives. providing_technologies = null +[savedsearch://ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule] +type = detection +asset_type = Azure Active Directory +confidence = medium +explanation = This detection focuses on identifying instances in Azure Active Directory where a service principal assigns app roles without standard admin consent, using Entra ID logs. It operates on the azure_monitor_aad data source, scrutinizing the "Add app role assignment to service principal" operation, specifically from service principals. The query dissects details such as role ID, value, and description, important for understanding the nature of the roles being assigned. Monitoring this in a SOC is critical as it flags potential bypasses of vital administrative consent processes in Azure AD, which could result in unauthorized privileges being granted. A true positive detection suggests that a service principal may be exploiting automation to assign sensitive permissions without proper oversight. +how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlog log category +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} +known_false_positives = Service Principals are sometimes configured to legitimately bypass the consent process for purposes of automation. Filter as needed. +providing_technologies = null + [savedsearch://ESCU - Azure AD Application Administrator Role Assigned - Rule] type = detection asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the applications identity. If the applications identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. Red teams and adversaries alike may abuse this role to escalate their privileges in an Azure AD tenant. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlog log category -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} known_false_positives = Administrators may legitimately assign the Application Administrator role to a user. Filter as needed. providing_technologies = null @@ -1614,7 +1624,7 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies an authentication attempt event against an Azure AD tenant that fails during the Multi Factor Authentication challenge. Error Code 500121 represents a failed attempt to authenticate using a second factor. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} known_false_positives = Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake. providing_technologies = null @@ -1624,7 +1634,7 @@ asset_type = Azure AD confidence = medium explanation = This analytic detects when the risk-based step-up consent security setting in Azure AD is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative step-up for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562"], "nist": ["DE.CM"]} known_false_positives = Legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization providing_technologies = null @@ -1634,7 +1644,7 @@ asset_type = Azure AD confidence = medium explanation = The following analytic identifies an Azure AD account with concurrent sessions coming from more than one unique Ip address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} known_false_positives = A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. providing_technologies = null @@ -1644,7 +1654,7 @@ asset_type = Azure AD confidence = medium explanation = The following analytic identifies the execution of the Azure Device Code Phishing attack, which can lead to Azure Account Take-Over (ATO). The detection leverages Azure AD logs specifically focusing on authentication requests to identify the attack. This technique involves creating malicious infrastructure, bypassing Multi-Factor Authentication (MFA), and bypassing Conditional Access Policies (CAPs). The attack aims to compromise users by sending them phishing emails from attacker-controlled domains and trick the victims into performing OAuth 2.0 device authentication. A successful execution of this attack can result in adversaries gaining unauthorized access to Azure AD, Exchange mailboxes, and the target's Outlook Web Application (OWA). This attack technique was detailed by security researchers including Bobby Cooke, Stephan Borosh, and others. It's crucial for organizations to be aware of this threat, as it can lead to unauthorized access and potential data breaches. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1528", "T1566", "T1566.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery"], "mitre_attack": ["T1528", "T1566", "T1566.002"], "nist": ["DE.CM"]} known_false_positives = In most organizations, device code authentication will be used to access common Microsoft service but it may be legitimate for others. Filter as needed. providing_technologies = null @@ -1654,17 +1664,27 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies the invitation of an external guest user within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities` how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1136.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.CM"]} known_false_positives = Administrator may legitimately invite external guest users. Filter as needed. providing_technologies = null +[savedsearch://ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule] +type = detection +asset_type = Azure Active Directory +confidence = medium +explanation = The following analytic identifies when the 'full_access_as_app' permission, marked by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', is assigned to an application within Office 365 Exchange Online, identified by ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. This permission grants broad control over Office 365 operations, including full access to all mailboxes and the capability to send emails as any user. The query utilizes the azure_monitor_aad data source, focusing on AuditLogs with the operation name 'Update application'. This monitoring is crucial for early detection of potential unauthorized access or data exfiltration, as the 'full_access_as_app' permission could lead to significant security incidents if exploited. +how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.002", "T1098.003"], "nist": ["DE.CM"]} +known_false_positives = The full_access_as_app API permission may be assigned to legitimate applications. Filter as needed. +providing_technologies = null + [savedsearch://ESCU - Azure AD Global Administrator Role Assigned - Rule] type = detection asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies the assignment of the Azure AD Global Administrator role to an Azure AD user. The Global Administrator role is the most powerful administrator role in Azure AD and provides almost unlimited access to data, resources and settings. It is equivalent to the Domain Administrator group in an Active Directory environment. While Azure AD roles do not grant access to Azure services and resources, it is possible for a Global Administrator account to gain control of Azure resources. Adversaries and red teams alike may assign this role to a compromised account to establish Persistence or escalate their privileges in an Azure AD environment. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} known_false_positives = Administrators may legitimately assign the Global Administrator role to a user. Filter as needed. providing_technologies = null @@ -1674,7 +1694,7 @@ asset_type = Azure AD confidence = medium explanation = The following analytic identifies an Azure AD account with more than 20 failed authentication events in the span of 10 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110", "T1110.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001"], "nist": ["DE.CM"]} known_false_positives = A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. providing_technologies = null @@ -1684,7 +1704,7 @@ asset_type = Azure AD confidence = medium explanation = The following analytic identifies an Ip address failing to authenticate 20 or more times to an Azure AD tenant in the span of 10 minutes. This behavior could represent a brute force attack againstan Azure AD to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"]} known_false_positives = An Ip address with more than 20 failed authentication attempts in the span of 10 minutes may also be triggered by a broken application. providing_technologies = null @@ -1694,7 +1714,7 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies an attempt to disable multi-factor authentication for an Azure AD user. An adversary who has obtained access to an Azure AD tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"]} known_false_positives = Legitimate use case may require for users to disable MFA. Filter as needed. providing_technologies = null @@ -1704,7 +1724,7 @@ asset_type = Azure AD confidence = medium explanation = This analytic detects potential distributed password spraying attacks within an Azure AD environment. It identifies a notable increase in failed authentication attempts across a variety of unique user-and-IP address combinations, originating from multiple source IP addresses and countries, and employing different user agents. Such patterns suggest an adversary's attempt to bypass security controls by using a range of IP addresses to test commonly used passwords against numerous user accounts. The detection scrutinizes SignInLogs from Azure AD logs, particularly focusing on events with error code 50126, which signals a failed authentication due to incorrect credentials. By collating data over a five-minute interval, the analytic computes the distinct counts of user-and-IP combinations, unique users, source IPs, and countries. It then applies a set of thresholds to these metrics to pinpoint unusual activities that could indicate a coordinated attack effort. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Recognizing this behavior is vital for security operations centers (SOCs) as distributed password spraying represents a more complex form of traditional password spraying. Attackers distribute the source of their attempts to evade detection mechanisms that typically monitor for single-source IP anomalies. Prompt detection of such distributed activities is essential to thwart unauthorized access attempts, prevent account compromises, and mitigate the risk of further malicious activities within the organization's network. A true positive alert from this analytic suggests an active distributed password spraying attack against the organization's Azure AD tenant. A successful attack could result in unauthorized access, particularly to accounts with elevated privileges, leading to data breaches, privilege escalation, persistent threats, and lateral movement within the organization's infrastructure. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} known_false_positives = This detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of VPNs or cloud services that rotate IP addresses. Filter as needed. providing_technologies = null @@ -1714,7 +1734,7 @@ asset_type = Azure AD Tenant confidence = medium explanation = This analytic is crafted to identify unusual and potentially malicious authentication activity within an Azure AD environment. It triggers when a single user account is involved in more than 8 authentication attempts, using 3 or more unique application IDs and more than 5 unique user agents within a short timeframe. This pattern is atypical for regular user behavior and may indicate an adversary's attempt to probe the environment, testing for multi-factor authentication requirements across different applications and platforms. The detection is based on analysis of Azure AD audit logs, specifically focusing on authentication events. It employs statistical thresholds to highlight instances where the volume of authentication attempts and the diversity of application IDs and user agents associated with a single user account exceed normal parameters. Identifying this behavior is crucial as it provides an early indication of potential account compromise. Adversaries, once in possession of user credentials, often conduct reconnaissance to understand the security controls in place, including multi-factor authentication configurations. Tools like Invoke-MFASweep are commonly used for this purpose, automating the process of testing different user agents and application IDs to bypass MFA. By detecting these initial probing attempts, security teams can swiftly respond, potentially stopping an attack in its early stages and preventing further unauthorized access. This proactive stance is vital for maintaining the integrity of the organization's security posture. If validated as a true positive, this detection points to a compromised account, signaling that an attacker is actively attempting to navigate security controls to maintain access and potentially escalate privileges. This could lead to further exploitation, lateral movement within the network, and eventual data exfiltration. Recognizing and responding to this early stage of an attack is vital for preventing substantial harm and safeguarding sensitive organizational data and systems. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} known_false_positives = Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives. providing_technologies = null @@ -1724,7 +1744,7 @@ asset_type = Azure Active Directory confidence = medium explanation = This analytic targets the detection of an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically identifying instances where more than nine MFA prompts were declined by the user. Utilizing Azure Active Directory (Azure AD) sign-in logs, particularly focusing on "Sign-in activity" events, it filters for scenarios where the MFA request was denied due to the user declining the authentication, as indicated by error code 500121 and additional details stating "MFA denied; user declined the authentication." The data is then aggregated into 10-minute intervals, counting distinct raw events and capturing the earliest and latest times of occurrence for each user. This behavior is significant for a Security Operations Center (SOC) as it could be an early indicator of a targeted attack or an account compromise attempt, with an attacker having obtained the user's credentials and the user actively declining the MFA prompts, preventing unauthorized access. A true positive detection would imply that an attacker is on the verge of gaining full access to the user's account, posing a threat that could lead to data exfiltration, lateral movement, or further malicious activities within the organization, necessitating immediate investigation and response to safeguard the organization's assets. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} known_false_positives = Multiple denifed MFA requests in a short period of span may also be a sign of authentication errors. Investigate and filter as needed. providing_technologies = null @@ -1734,10 +1754,30 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Azure AD tenant. Error Code 500121 represents a failed attempt to authenticate using a second factor. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. The reasons for these failure could be several, like the user not responding in time or receiving multiple duplicate MFA requests. Azure AD tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"]} known_false_positives = Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed. providing_technologies = null +[savedsearch://ESCU - Azure AD Multiple Service Principals Created by SP - Rule] +type = detection +asset_type = Azure Active Directory +confidence = medium +explanation = This detection identifies when a single service principal in Azure AD creates more than three unique OAuth applications within a 10-minute span, potentially signaling malicious activity. It monitors the 'Add service principal' operation, focusing on the activity of service principals rather than individual users. By aggregating the creation events over a 10-minute period, the analytic tracks how many distinct OAuth applications are created by each service principal. This is key for SOC teams to pinpoint potential attack staging, where an attacker might use a compromised or malicious service principal to rapidly establish multiple service principals, facilitating network infiltration or expansion. While the default threshold is set to trigger on more than three applications, security teams should adjust this to fit their specific environment's norm +how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} +known_false_positives = Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. +providing_technologies = null + +[savedsearch://ESCU - Azure AD Multiple Service Principals Created by User - Rule] +type = detection +asset_type = Azure Active Directory +confidence = medium +explanation = This detection focuses on identifying instances where a single user creates more than three unique OAuth applications within a 10-minute timeframe in Azure AD, a potential indicator of malicious activity. By monitoring the 'Add service principal' operation and aggregating the data with a 10-minute bucket span, it tracks the number of distinct OAuth applications created by each user. This analytic is crucial for SOC teams to detect possible staging of attacks, where an adversary might rapidly create multiple service principals as part of their infiltration or expansion strategy within the network. The threshold of three applications is set to flag unusual behavior, but security teams are advised to adjust this value to suit the normal operational patterns of their environment +how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} +known_false_positives = Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. +providing_technologies = null + [savedsearch://ESCU - Azure AD Multiple Users Failing To Authenticate From Ip - Rule] type = detection asset_type = Azure Active Directory @@ -1745,7 +1785,7 @@ confidence = medium explanation = The following analytic identifies one source Ip failing to authenticate with 30 unique valid users within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password. This logic can be used for real time security monitoring as well as threat hunting exercises.\ Azure AD tenants can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold if needed. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} known_false_positives = A source Ip failing to authenticate with multiple users is not a common for legitimate behavior. providing_technologies = null @@ -1755,7 +1795,7 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies the addition of a new custom domain within an Azure Active Directory tenant. Adding a custom domain is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1484", "T1484.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.002"], "nist": ["DE.CM"]} known_false_positives = In most organizations, new customm domains will be updated infrequently. Filter as needed. providing_technologies = null @@ -1765,7 +1805,7 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies the addition of a new federated domain within an Azure Active Directory tenant. This event could represent the execution of the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1484", "T1484.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.002"], "nist": ["DE.CM"]} known_false_positives = In most organizations, domain federation settings will be updated infrequently. Filter as needed. providing_technologies = null @@ -1775,7 +1815,7 @@ asset_type = Azure AD confidence = medium explanation = This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Azure Active Directory by monitoring Azure AD audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} known_false_positives = Users may register MFA methods legitimally, investigate and filter as needed. providing_technologies = null @@ -1785,7 +1825,7 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies the registration of a new Multi Factor authentication method for an Azure AD account. Adversaries who have obtained unauthorized access to an Azure AD account may register a new MFA method to maintain persistence. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} known_false_positives = Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. providing_technologies = null @@ -1795,7 +1835,7 @@ asset_type = Azure AD confidence = medium explanation = This analytic detects when a user in an Azure AD environment grants consent to an OAuth application, capturing any consent granted regardless of the specific permissions requested. Utilizing Azure AD audit logs, it focuses on events related to OAuth application consents, alerting security teams to instances where users actively grant consent to applications. This monitoring is crucial as it highlights potential risks associated with third-party applications gaining access to organizational data, a tactic often exploited by malicious actors to gain unauthorized access. A true positive from this analytic necessitates immediate investigation to validate the application's legitimacy, review the granted permissions, and assess potential risks, helping to prevent unauthorized access and protect sensitive data and resources. While false positives may occur with legitimate application integrations, ensuring alignment with organizational policies and security best practices is paramount. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} known_false_positives = False positives may occur if users are granting consents as part of legitimate application integrations or setups. It is crucial to review the application and the permissions it requests to ensure they align with organizational policies and security best practices. providing_technologies = null @@ -1805,7 +1845,7 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} known_false_positives = As part of legitimate administrative behavior, users may be assigned PIM roles. Filter as needed providing_technologies = null @@ -1815,7 +1855,7 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} known_false_positives = As part of legitimate administrative behavior, users may activate PIM roles. Filter as needed providing_technologies = null @@ -1825,17 +1865,27 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies the assignment of the Privileged Authentication Administrato role to an Azure AD user. Users in this role can set or reset authentication methods for any user in Azure Active Directory, including privileged roles like Global Administrators. Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to assume that users identity and permissions. Red teams and adversaries alike may abuse this role to escalate their privileges. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} known_false_positives = Administrators may legitimately assign the Privileged Authentication Administrator role as part of administrative tasks. Filter as needed. providing_technologies = null +[savedsearch://ESCU - Azure AD Privileged Graph API Permission Assigned - Rule] +type = detection +asset_type = Azure Active Directory +confidence = medium +explanation = This Splunk analytic flags the assignment of three high-risk Graph API permissions in Azure AD, Application.ReadWrite.All (1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions enable broad control over Azure AD, including application and directory settings. Utilizing azure_monitor_aad data, the query scans AuditLogs for 'Update application' operations, identifying when these permissions are assigned. It collects data on user, object, and user agent. Immediate attention is needed upon detection, as misuse of these permissions can lead to unauthorized Azure AD modifications and potential security breaches. +how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} +known_false_positives = Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed. +providing_technologies = null + [savedsearch://ESCU - Azure AD Privileged Role Assigned - Rule] type = detection asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} known_false_positives = Administrators will legitimately assign the privileged roles users as part of administrative tasks. Filter as needed. providing_technologies = null @@ -1845,17 +1895,27 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). The detection is made by running a specific search within the ingested Azure Active Directory events to leverage the AuditLogs log category. This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} known_false_positives = Administrators may legitimately assign the privileged roles to Service Principals as part of administrative tasks. Filter as needed. providing_technologies = null +[savedsearch://ESCU - Azure AD Service Principal Authentication - Rule] +type = detection +asset_type = Azure Active Directory +confidence = medium +explanation = Monitoring service principal authentication events in Azure Active Directory is crucial, but to effectively leverage this detection, teams should first conduct a thorough inventory of all service principals and their source IPs to establish a baseline of normal behavior. The detection, using azure_monitor_aad, specifically targets "Sign-in activity" within ServicePrincipalSignInLogs, gathering key details like sign-in frequency, timing, source IPs, and accessed resources. This baseline is essential for SOC teams to distinguish between regular application authentication and anomalous patterns that might suggest compromised credentials or malicious activities. +how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.CM"]} +known_false_positives = Service Principals will legitimally authenticate remotely to your tenant. Implementing this detection after establishing a baseline enables a more accurate identification of security threats, ensuring proactive and informed responses to safeguard the Azure AD environment. source ips. +providing_technologies = null + [savedsearch://ESCU - Azure AD Service Principal Created - Rule] type = detection asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies the creation of a Service Principal in an Azure AD environment. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may create a Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment thorough an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1136.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.CM"]} known_false_positives = Administrator may legitimately create Service Principal. Filter as needed. providing_technologies = null @@ -1865,7 +1925,7 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies the addition of new credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD. These credentials include both x509 certificates and passwords. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules. Adversaries and red teams alike who have obtained privileged access to Azure AD may add credentials to Service Principals to maintain persistent access to victim accounts and other instances within the Azure environment. By compromising an account who is an Owner of an application with privileged access, attackers may also escalate their privileges in an Azure AD environment by adding new credentials and logging in as the service principal. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} known_false_positives = Service Principal client credential modifications may be part of legitimate administrative operations. Filter as needed. providing_technologies = null @@ -1875,7 +1935,7 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies the addition of a new owner for a Service Principal within an Azure AD tenant. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may add a new owner for an existing Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. Attackers who are looking to escalate their privileges by leveraging a Service Principals permissions may also add a new owner. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} known_false_positives = Administrator may legitimately add new owners for Service Principals. Filter as needed. providing_technologies = null @@ -1885,7 +1945,7 @@ asset_type = Azure AD confidence = medium explanation = The following analytic identifies an Azure AD account successfully authenticating from more than one unique Ip address in the span of 30 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"]} known_false_positives = A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. providing_technologies = null @@ -1895,7 +1955,7 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell commandlets. This behavior is not common for regular, non administrative users. After compromising an account in Azure AD, attackers and red teams alike will perform enumeration and discovery techniques. One method of executing these techniques is leveraging the native PowerShell modules. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} known_false_positives = Administrative users will likely use PowerShell commandlets to troubleshoot and maintain the environment. Filter as needed. providing_technologies = null @@ -1905,7 +1965,7 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies a successful authentication event against Azure Active Directory for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} known_false_positives = Although not recommended, certain users may be required without multi-factor authentication. Filter as needed providing_technologies = null @@ -1915,7 +1975,7 @@ asset_type = Azure AD confidence = medium explanation = The following analytic identifies instances where admin consent is granted to an application within an Azure AD tenant. It leverages Azure AD audit logs, specifically events related to the admin consent action within the ApplicationManagement category. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlogs log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} known_false_positives = Legitimate applications may be granted tenant wide consent, filter as needed. providing_technologies = null @@ -1927,7 +1987,7 @@ explanation = The following analytic identifies one source Ip failing to authent The detection calculates the standard deviation for source Ip and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\ While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `Azure AD Multiple Users Failing To Authenticate From Ip`. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} known_false_positives = A source Ip failing to authenticate with multiple users is not a common for legitimate behavior. providing_technologies = null @@ -1937,7 +1997,7 @@ asset_type = Azure AD tenant confidence = medium explanation = The following analytic identifies instances where Azure AD has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the Azure AD audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where Azure's built-in security measures have intervened. Applications that are flagged and blocked by Azure typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} known_false_positives = UPDATE_KNOWN_FALSE_POSITIVES providing_technologies = null @@ -1947,7 +2007,7 @@ asset_type = Azure AD confidence = medium explanation = The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Azure AD environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the Azure AD's audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} known_false_positives = Users may deny consent for legitimate applications by mistake, filter as needed. providing_technologies = null @@ -1957,7 +2017,7 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. This behavior could represent an adversary who has obtained administrative access and is trying to establish a backdoor identity within an Azure AD tenant. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} known_false_positives = While not common, Administrators may enable accounts and reset their passwords for legitimate reasons. Filter as needed. providing_technologies = null @@ -1967,7 +2027,7 @@ asset_type = Azure Active Directory confidence = medium explanation = The following analytic identifies the modification of the SourceAnchor (also called ImmutableId) attribute for an Azure Active Directory user. Updating this attribute is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} known_false_positives = The SourceAnchor (also called ImmutableId) Azure AD attribute has legitimate uses for directory synchronization. Investigate and filter as needed. providing_technologies = null @@ -1977,7 +2037,7 @@ asset_type = Azure confidence = medium explanation = The following analytic identifies the creation of a new Azure Automation account within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure using PowerShell and Python. Azure Automation can also be configured to automate tasks on on premise infrastructure using a component called a Hybrid Runbook Worker. Automation accounts serve as a container to isolate Automation resources, runbooks, assets, and configurations from the resources of other accounts. They allow administrators to separate resources into logical environments or delegated responsibilities. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation account with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1136", "T1136.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136", "T1136.003"], "nist": ["DE.CM"]} known_false_positives = Administrators may legitimately create Azure Automation accounts. Filter as needed. providing_technologies = null @@ -1987,7 +2047,7 @@ asset_type = Azure confidence = medium explanation = The following analytic identifies the creation of a new Azure Automation Runbook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation Runbook that runs with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1136", "T1136.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136", "T1136.003"], "nist": ["DE.CM"]} known_false_positives = Administrators may legitimately create Azure Automation Runbooks. Filter as needed. providing_technologies = null @@ -1997,7 +2057,7 @@ asset_type = Azure confidence = medium explanation = The following analytic identifies the creation of a new Automation Runbook Webhook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. One of the ways administrators can configure a Runbook to be executed is through HTTP Webhooks. Webhooks leverage custom unauthenticated URLs that are exposed to the Internet. An adversary who has obtained privileged access to an Azure tenant may create a Webhook to trigger the execution of an Automation Runbook with malicious code that can create users or execute code on a VM. This provides a persistent foothold on the environment. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.004"], "nist": ["DE.CM"]} known_false_positives = Administrators may legitimately create Azure Runbook Webhooks. Filter as needed. providing_technologies = null @@ -2007,7 +2067,7 @@ asset_type = CircleCI confidence = medium explanation = This analytic searches for a specific behavior in CircleCI pipelines such as the disabling of security jobs. The detection is made by using a Splunk query that renames certain fields and retrieves values for specified job names, workflow IDs and names, user information, commit messages, URLs, and branches. Then, the query identifies mandatory jobs for each workflow and searches for instances where they were run. The search also identifies the phase of the pipeline as "build" and extracts the repository name from the URL using regular expressions. The detection is important because it detects attempts to bypass security measures in CircleCI pipelines, which can potentially lead to malicious code being introduced into the pipeline, data breaches, system downtime, and reputational damage. False positives might occur since legitimate use cases can require the disabling of security jobs. However, you can proactively monitor and identify any suspicious activity in the pipeline using this analytic and mitigate potential threats through early detection. how_to_implement = You must index CircleCI logs. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1554"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1554"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2017,7 +2077,7 @@ asset_type = CircleCI confidence = medium explanation = The following analytic detects the disablement of security steps in a CircleCI pipeline. Addressing instances of security step disablement in CircleCI pipelines can mitigate the risks associated with potential security vulnerabilities and unauthorized changes. A proactive approach helps protect the organization's infrastructure, data, and overall security posture. The detection is made by a Splunk query that searches for specific criteria within CircleCI logs through a combination of field renaming, joining, and statistical analysis to identify instances where security steps are disabled. It retrieves information such as job IDs, job names, commit details, and user information from the CircleCI logs. The detection is important because it indicates potential security vulnerabilities or unauthorized changes to the pipeline caused by someone within the organization intentionally or unintentionally disabling security steps in the CircleCI pipeline.Disabling security steps can leave the pipeline and the associated infrastructure exposed to potential attacks, data breaches, or the introduction of malicious code into the pipeline. Investigate by reviewing the job name, commit details, and user information associated with the disablement of security steps. You must also examine any relevant on-disk artifacts and identify concurrent processes that might indicate the source of the attack or unauthorized change. how_to_implement = You must index CircleCI logs. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1554"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1554"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2027,7 +2087,7 @@ asset_type = AWS Instance confidence = medium explanation = The following analytic detects when a new command is run by a user, who typically does not run those commands. The detection is made by a Splunk query to search for these commands in the Change data model. Identifies commands run by users with the user_type of AssumedRole and a status of success. The query retrieves the earliest and latest timestamps of each command run and groups the results by the user and command. Then, it drops the unnecessary data model object name and creates a lookup to verify if the command was seen before. The lookup table contains information about previously seen cloud API calls for each user role, including the first time the command was seen and whether enough data is available for analysis. If the firstTimeSeenUserApiCall field is null or greater than the relative time of 24 hours ago, it indicates that the command is new and was not seen before. The final result table includes the firstTime, user, object, and command fields of the new commands. It also applies the security_content_ctime function to format the timestamps and applies a filter to remove any cloud API calls from previously unseen user roles. The detection is important because it helps to identify new commands run by different user roles. New commands can indicate potential malicious activity or unauthorized actions within the environment. Detecting and investigating these new commands can help identify and mitigate potential security threats earlier, preventing data breaches, unauthorized access, or other damaging outcomes. how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud API Calls Per User Role - Initial` to build the initial table of user roles, commands, and times. You must also enable the second baseline search `Previously Seen Cloud API Calls Per User Role - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `cloud_api_calls_from_previously_unseen_user_roles_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_api_calls_from_previously_unseen_user_roles_filter` -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} known_false_positives = . providing_technologies = null @@ -2037,7 +2097,7 @@ asset_type = Cloud Compute Instance confidence = medium explanation = This search looks for cloud compute instances created by users who have not created them before. how_to_implement = You must be ingesting the appropriate cloud-infrastructure logs Run the "Previously Seen Cloud Compute Creations By User" support search to create of baseline of previously seen users. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} known_false_positives = It's possible that a user will start to create compute instances for the first time, for any number of reasons. Verify with the user launching instances that this is the intended behavior. providing_technologies = null @@ -2047,7 +2107,7 @@ asset_type = Cloud Compute Instance confidence = medium explanation = This search looks at cloud-infrastructure events where an instance is created in any region within the last hour and then compares it to a lookup file of previously seen regions where instances have been created. how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Regions - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Regions - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_in_previously_unused_region_filter` macro. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} known_false_positives = It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate. providing_technologies = null @@ -2077,7 +2137,7 @@ asset_type = AWS Instance confidence = medium explanation = This search looks for cloud instances being modified by users who have not previously modified them. how_to_implement = This search has a dependency on other searches to create and update a baseline of users observed to be associated with this activity. The search "Previously Seen Cloud Instance Modifications By User - Update" should be enabled for this detection to properly work. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} known_false_positives = It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior. providing_technologies = null @@ -2087,7 +2147,7 @@ asset_type = AWS Instance confidence = medium explanation = This search looks for cloud provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that runs or creates something. how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_city_filter` macro. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\ This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. providing_technologies = null @@ -2098,7 +2158,7 @@ asset_type = AWS Instance confidence = medium explanation = This search looks for cloud provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that runs or creates something. how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_country_filter` macro. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\ This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. providing_technologies = null @@ -2109,7 +2169,7 @@ asset_type = AWS Instance confidence = medium explanation = This search looks for cloud provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that runs or creates something. how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_ip_address_filter` macro. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\ This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. providing_technologies = null @@ -2120,7 +2180,7 @@ asset_type = AWS Instance confidence = medium explanation = This search looks for cloud provisioning activities from previously unseen regions. Provisioning activities are defined broadly as any event that runs or creates something. how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_region_filter` macro. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\ This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. providing_technologies = null @@ -2131,7 +2191,7 @@ asset_type = AWS Instance confidence = medium explanation = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1552"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1552"], "nist": ["DE.AE"]} known_false_positives = When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. providing_technologies = null @@ -2141,7 +2201,7 @@ asset_type = AWS Instance confidence = medium explanation = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_city_filter` macro. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} known_false_positives = When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. providing_technologies = null @@ -2151,7 +2211,7 @@ asset_type = AWS Instance confidence = medium explanation = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_country_filter` macro. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} known_false_positives = When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. providing_technologies = null @@ -2161,7 +2221,7 @@ asset_type = AWS Instance confidence = medium explanation = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_region_filter` macro. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} known_false_positives = When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. providing_technologies = null @@ -2171,7 +2231,7 @@ asset_type = GCP Storage Bucket confidence = medium explanation = This search looks at GCP Storage bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed a GCP Storage bucket. how_to_implement = This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). In order to capture public GCP Storage Bucket access logs, you must also enable storage bucket logging to your PubSub Topic as per https://cloud.google.com/storage/docs/access-logs. These logs are deposited into the nominated Storage Bucket on an hourly basis and typically show up by 15 minutes past the hour. It is recommended to configure any saved searches or correlation searches in Enterprise Security to run on an hourly basis at 30 minutes past the hour (cron definition of 30 * * * *). A lookup table (previously_seen_gcp_storage_access_from_remote_ip.csv) stores the previously seen access requests, and is used by this search to determine any newly seen IP addresses accessing the Storage Buckets. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} known_false_positives = GCP Storage buckets can be accessed from any IP (if the ACLs are open to allow it), as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past two hours. providing_technologies = null @@ -2181,7 +2241,7 @@ asset_type = GCP Storage Bucket confidence = medium explanation = This search looks for GCP PubSub events where a user has created an open/public GCP Storage bucket. how_to_implement = This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} known_false_positives = While this search has no known false positives, it is possible that a GCP admin has legitimately created a public bucket for a specific purpose. That said, GCP strongly advises against granting full control to the "allUsers" group. providing_technologies = null @@ -2191,7 +2251,7 @@ asset_type = S3 Bucket confidence = medium explanation = This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket. how_to_implement = You must install the AWS App for Splunk. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the "All Users" group. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -2201,7 +2261,7 @@ asset_type = S3 Bucket confidence = medium explanation = This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli. how_to_implement = -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the "All Users" group. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -2211,7 +2271,7 @@ asset_type = S3 Bucket confidence = medium explanation = This search looks at S3 bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed an S3 bucket. how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access logs' inputs. This search works best when you run the "Previously Seen S3 Bucket Access by Remote IP" support search once to create a history of previously seen remote IPs and bucket names. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} known_false_positives = S3 buckets can be accessed from any IP, as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past hour providing_technologies = null @@ -2251,7 +2311,7 @@ asset_type = S3 Bucket confidence = medium explanation = This search detects users creating spikes in API activity related to deletion of S3 buckets in your AWS environment. It will also update the cache file that factors in the latest data. how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of S3 Bucket deletion activity by ARN" support search once to create a baseline of previously seen S3 bucket-deletion activity. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} known_false_positives = Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -2261,7 +2321,7 @@ asset_type = Google Cloud Platform tenant confidence = medium explanation = The following analytic identifies an authentication attempt event against a Google Cloud Platform tenant that fails during the Multi Factor Authentication challenge. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} known_false_positives = Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake. providing_technologies = null @@ -2271,7 +2331,7 @@ asset_type = GCP Account confidence = medium explanation = This search provides detection of GCPloit exploitation framework. This framework can be used to escalate privileges and move laterally from compromised high privilege accounts. how_to_implement = You must install splunk GCP add-on. This search works with gcp:pubsub:message logs -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} known_false_positives = Payload.request.function.timeout value can possibly be match with other functions or requests however the source user and target request account may indicate an attempt to move laterally accross acounts or projects providing_technologies = null @@ -2281,7 +2341,7 @@ asset_type = GCP Kubernetes cluster confidence = medium explanation = This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster's pods how_to_implement = You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} known_false_positives = Not all unauthenticated requests are malicious, but frequency, User Agent, source IPs and pods will provide context. providing_technologies = null @@ -2291,7 +2351,7 @@ asset_type = GCP confidence = medium explanation = The following analytic identifies an attempt to disable multi-factor authentication for a GCP user. An adversary who has obtained access to an GCP tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the Admin log events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"]} known_false_positives = Legitimate use case may require for users to disable MFA. Filter as needed. providing_technologies = null @@ -2301,7 +2361,7 @@ asset_type = Google Cloud Platform tenant confidence = medium explanation = The following analytic identifies multiple failed multi-factor authentication requests for a single user within a Google Cloud Platform tenant. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 5 minutes. Google CLoud tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `mfa_prompts` threshold values according to your environment. Specifically, this analytic leverages the User log events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"]} known_false_positives = Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed. providing_technologies = null @@ -2311,7 +2371,7 @@ asset_type = Google Cloud Platform tenant confidence = medium explanation = The following analytic identifies one source Ip failing to authenticate into the Google Workspace user accounts with more than 20 unique valid users within 5 minutes. These user accounts may have other privileges with respect to access to other sensitive resources in the Google Cloud Platform. This behavior could represent an adversary performing a Password Spraying attack against an Google Workspace environment to obtain initial access or elevate privileges. how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} known_false_positives = No known false postives for this detection. Please review this alert. providing_technologies = null @@ -2321,7 +2381,7 @@ asset_type = Google Cloud Platform tenant confidence = medium explanation = The following analytic identifies a successful authentication event against Google Cloud Platform for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} known_false_positives = Although not recommended, certain users may be required without multi-factor authentication. Filter as needed providing_technologies = null @@ -2331,7 +2391,7 @@ asset_type = Google Cloud Platform tenant confidence = medium explanation = The following analytic identifies one source IP failing to authenticate into the Google Workspace with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against a Google Workspace enviroment to obtain initial access or elevate privileges. The detection calculates the standard deviation for source IP and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the bucket span time and the calculation of the upperBound field. This logic can be used for real time security monitoring as well as threat hunting exercises. While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `GCP Multiple Users Failing To Authenticate From Ip` how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} known_false_positives = No known false positives for this detection. Please review this alert providing_technologies = null @@ -2341,7 +2401,7 @@ asset_type = GDrive confidence = medium explanation = This search can help the detection of compromised accounts or internal users sharing potentially malicious/classified documents with users outside your organization via GSuite file sharing . how_to_implement = Need to implement Gsuite logging targeting Google suite drive activity. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} known_false_positives = This is an anomaly search, you must specify your domain in the parameters so it either filters outside domains or focus on internal domains. This search may also help investigate compromise of accounts. By looking at for example source ip addresses, document titles and abnormal number of shares and shared target users. providing_technologies = null @@ -2351,7 +2411,7 @@ asset_type = GitHub confidence = medium explanation = This search detects a disabled security workflow in GitHub Actions. An attacker can disable a security workflow in GitHub actions to hide malicious code in it. how_to_implement = You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. Sometimes GitHub logs are truncated, make sure to disable it in props.conf. Replace *security-testing* with the name of your security testing workflow in GitHub Actions. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1195.002", "T1195"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002", "T1195"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2361,7 +2421,7 @@ asset_type = GitHub confidence = medium explanation = This search is to detect a pushed or commit to master or main branch. This is to avoid unwanted modification to master without a review to the changes. Ideally in terms of devsecops the changes made in a branch and do a PR for review. of course in some cases admin of the project may did a changes directly to master branch how_to_implement = To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1199"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1199"], "nist": ["DE.AE"]} known_false_positives = admin can do changes directly to master branch providing_technologies = null @@ -2371,7 +2431,7 @@ asset_type = GitHub confidence = medium explanation = This search is to detect a pushed or commit to develop branch. This is to avoid unwanted modification to develop without a review to the changes. Ideally in terms of devsecops the changes made in a branch and do a PR for review. of course in some cases admin of the project may did a changes directly to master branch how_to_implement = To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1199"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1199"], "nist": ["DE.AE"]} known_false_positives = admin can do changes directly to develop branch providing_technologies = null @@ -2381,7 +2441,7 @@ asset_type = GitHub confidence = medium explanation = The following analytic is made by first searching for logs that contain the action "create" and renames certain fields for easier analysis. Then, this analytic uses the "stats" command to calculate the first and last occurrence of the alert based on the timestamp. The fields included in the output are the action, affected package name, affected range, created date, external identifier, external reference, fixed version, severity, repository, repository URL, and user. The "phase" field is set to "code" to indicate that the alert pertains to code-related issues. The detection is important because dependabot Alerts can indicate vulnerabilities in the codebase that can be exploited by attackers. Detecting and investigating these alerts can help a SOC to proactively address security risks and prevent potential breaches or unauthorized access to sensitive information. False positives might occur since there are legitimate actions that trigger the "create" action or if other factors exist that can generate similar log entries. Next steps include reviewing the details of the alert, such as the affected package, severity, and fixed version to determine the appropriate response and mitigation steps. how_to_implement = You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2391,7 +2451,7 @@ asset_type = GitHub confidence = medium explanation = The following analytic detects pull requests from unknown users on GitHub. The detection is made by using a Splunk query to search for pull requests in the `check_suite.pull_requests` field where the `id` is not specified. Next, the analytic retrieves information such as the author's name, the repository's full name, the head reference of the pull request, and the commit message from the `check_suite.head_commit` field. The analytic also includes a step to exclude known users by using the `github_known_users` lookup table, which helps to filter out pull requests from known users and focus on the pull requests from unknown users. The detection is important because it locates potential malicious activity or unauthorized access since unknown users can introduce malicious code or gain unauthorized access to repositories leading to unauthorized code changes, data breaches, or other security incidents. Next steps include reviewing the author's name, the repository involved, the head reference of the pull request, and the commit message upon triage of a potential pull request from an unknown user. You must also analyze any relevant on-disk artifacts and investigate any concurrent processes to determine the source and intent of the pull request." how_to_implement = You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2401,7 +2461,7 @@ asset_type = GSuite confidence = medium explanation = This search is to detect suspicious google drive or google docs files shared outside or externally. This behavior might be a good hunting query to monitor exfitration of data made by an attacker or insider to a targetted machine. how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1567.002", "T1567"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1567.002", "T1567"], "nist": ["DE.AE"]} known_false_positives = network admin or normal user may share files to customer and external team. providing_technologies = null @@ -2411,7 +2471,7 @@ asset_type = GSuite confidence = medium explanation = This search is to detect a suspicious attachment file extension in Gsuite email that may related to spear phishing attack. This file type is commonly used by malware to lure user to click on it to execute malicious code to compromised targetted machine. But this search can also catch some normal files related to this file type that maybe send by employee or network admin. how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} known_false_positives = network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack. providing_technologies = null @@ -2421,7 +2481,7 @@ asset_type = GSuite confidence = medium explanation = This search is to detect a gsuite email contains suspicious subject having known file type used in spear phishing. This technique is a common and effective entry vector of attacker to compromise a network by luring the user to click or execute the suspicious attachment send from external email account because of the effective social engineering of subject related to delivery, bank and so on. On the other hand this detection may catch a normal email traffic related to legitimate transaction so better to check the email sender, spelling and etc. avoid click link or opening the attachment if you are not expecting this type of e-mail. how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} known_false_positives = normal user or normal transaction may contain the subject and file type attachment that this detection try to search. providing_technologies = null @@ -2431,7 +2491,7 @@ asset_type = GSuite confidence = medium explanation = This analytics is to detect a gmail containing a link that are known to be abused by malware or attacker like pastebin, telegram and discord to deliver malicious payload. This event can encounter some normal email traffic within organization and external email that normally using this application and services. how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} known_false_positives = normal email contains this link that are known application within the organization or network can be catched by this detection. providing_technologies = null @@ -2441,7 +2501,7 @@ asset_type = GSuite confidence = medium explanation = This search is to detect a suspicious outbound e-mail from internal email to external email domain. This can be a good hunting query to monitor insider or outbound email traffic for not common domain e-mail. The idea is to parse the domain of destination email check if there is a minimum outbound traffic < 20 with attachment. how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.AE"]} known_false_positives = network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack. providing_technologies = null @@ -2451,7 +2511,7 @@ asset_type = GSuite confidence = medium explanation = This search can help the detection of compromised accounts or internal users sending suspcious calendar invites via GSuite calendar. These invites may contain malicious links or attachments. how_to_implement = In order to successfully implement this search, you need to be ingesting logs related to gsuite (gsuite:calendar:json) having the file sharing metadata like file type, source owner, destination target user, description, etc. This search can also be made more specific by selecting specific emails, subdomains timeframe, organizational units, targeted user, etc. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} known_false_positives = This search will also produce normal activity statistics. Fields such as email, ip address, name, parameters.organizer_calendar_id, parameters.target_calendar_id and parameters.event_title may give away phishing intent.For more specific results use email parameter. providing_technologies = null @@ -2461,7 +2521,7 @@ asset_type = GSuite confidence = medium explanation = This search is to detect a shared file in google drive with suspicious file name that are commonly used by spear phishing campaign. This technique is very popular to lure the user by running a malicious document or click a malicious link within the shared file that will redirected to malicious website. This detection can also catch some normal email communication between organization and its external customer. how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} known_false_positives = normal user or normal transaction may contain the subject and file type attachment that this detection try to search providing_technologies = null @@ -2471,7 +2531,7 @@ asset_type = Office 365 confidence = medium explanation = This analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address. Specifically, it identifies scenarios where there are more than 10 unsuccessful login attempts within a short time frame. The detection leverages Office365 management activity logs, specifically the AzureActiveDirectoryStsLogon records from the AzureActiveDirectory workload. It aggregates these logs in 5-minute intervals to count the number of failed login attempts and associates them with the originating source IP address. Multiple failed login attempts from a single source can be indicative of brute-force attacks, password spraying, or other malicious authentication attempts. Identifying and responding to these patterns promptly can prevent unauthorized access and potential breaches. If this detection represents a true positive, an attacker might be attempting to gain unauthorized access to an Office365 account. Successful compromise could lead to unauthorized access to sensitive data, potential lateral movement within the organization, or further malicious activities using the compromised account. how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. Adjust the threshold value to suit the specific environment, as environments with naturally higher login failures might generate false positives at a lower threshold. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110.001", "T1110"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.001", "T1110"], "nist": ["DE.AE"]} known_false_positives = An Ip address with more than 10 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. providing_technologies = null @@ -2481,7 +2541,7 @@ asset_type = Kubernetes confidence = medium explanation = The following analytic detects unauthorized access or misuse of Kubernetes Secrets from unusual locations. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by country. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2491,7 +2551,7 @@ asset_type = Kubernetes confidence = medium explanation = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user agents. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user agent. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2501,7 +2561,7 @@ asset_type = Kubernetes confidence = medium explanation = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user groups. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user group. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2511,7 +2571,7 @@ asset_type = Kubernetes confidence = medium explanation = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user names. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user name. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2521,7 +2581,7 @@ asset_type = Kubernetes confidence = medium explanation = The following analytic detects potential scanning activities within a Kubernetes environment. It identifies unauthorized access attempts, probing of public APIs, or attempts to exploit known vulnerabilities. The analytic detects this behavior by monitoring Kubernetes audit logs for patterns indicative of scanning, such as repeated failed access attempts or unusual API requests. This behavior is worth identifying for a SOC as it could indicate an attackers preliminary step in an attack, aiming to gather information about the system to find potential vulnerabilities. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1046"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1046"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2535,7 +2595,7 @@ how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cl * Org ID \ * Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E') \ * Metric Resolution 10000 -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2556,7 +2616,7 @@ how_to_implement = To implement this detection, follow these steps: \ * Set the Metric Resolution to 10000.\ * Leave all other settings at their default values.\ * Run the Search Baseline Of Kubernetes Container Network IO Ratio -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2577,7 +2637,7 @@ how_to_implement = To implement this detection, follow these steps: \ * Set the Metric Resolution to 10000.\ * Leave all other settings at their default values.\ * Run the Search Baseline Of Kubernetes Container Network IO Ratio -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2591,7 +2651,7 @@ how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cl * Org ID \ * Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E') \ * Metric Resolution 10000 -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2605,7 +2665,7 @@ how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cl * Org ID \ * Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E') \ * Metric Resolution 10000 -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2625,7 +2685,7 @@ asset_type = Kubernetes confidence = medium explanation = The following analytic detects the creation of privileged pods in Kubernetes. It identifies this behavior by monitoring Kubernetes Audit logs for the creation of pods with root privileges. This behavior is worth identifying for a SOC as it could potentially allow an attacker to escalate privileges, exploit the kernel, and gain full access to the host's namespace and devices. The impact of such an attack could be severe, leading to unauthorized access to sensitive information, data breaches, and service disruptions. how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2635,7 +2695,7 @@ asset_type = Kubernetes confidence = medium explanation = The following analytic detects the creation of a Kubernetes cron job, a task scheduled to run automatically at specified intervals. It identifies this behavior by monitoring Kubernetes Audit logs for creation of a cron job. This behavior is worth identifying for a SOC as it could potentially allow an attacker to execute malicious tasks repeatedly and automatically, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to persistent attacks, service disruptions, or unauthorized access to sensitive information. how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1053.007"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.007"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2645,7 +2705,7 @@ asset_type = Kubernetes confidence = medium explanation = The following analytic detects the creation of a DaemonSet in a Kubernetes cluster. A DaemonSet ensures the presence of a specific pod on every node in the cluster, making it an ideal avenue for persistent access. This behavior is identified by monitoring Kubernetes Audit logs for the creation of a DaemonSet. The identified behavior is worth noting for a SOC as it could potentially allow an attacker to maintain persistent access to the Kubernetes infrastructure. The impact of such an attack could be severe, leading to persistent attacks, service disruptions, or unauthorized access to sensitive information. how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2655,7 +2715,7 @@ asset_type = Kubernetes confidence = medium explanation = The following analytic detects instances where a shell is spawned within a Kubernetes container, a behavior often indicative of an attacker gaining unauthorized access. Leveraging Falco, a cloud-native runtime security tool, this analytic monitors system calls within the Kubernetes environment, flagging when a shell is spawned in a container. This behavior is worth identifying for a SOC as it could potentially allow an attacker to execute arbitrary commands, manipulate container processes, or escalate privileges, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to data breaches, service disruptions, or unauthorized access to sensitive information. how_to_implement = The detection is based on data that originates from Falco, a cloud native runtime security tool. Falco is designed to detect anomalous activity in your applications and is a crucial component of this detection rule. To implement this detection rule, you need to install and configure Falco in your Kubernetes environment. Once Falco is set up, it will monitor the system calls in your Kubernetes infrastructure and generate logs for any suspicious activity. These logs are then ingested by Splunk for analysis. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2669,7 +2729,7 @@ how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cl * Org ID \ * Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E') \ * Metric Resolution 10000 -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2683,7 +2743,7 @@ how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cl * Org ID \ * Signal Flow Program data('tcp.packets').publish(label='A'); data('tcp.bytes').publish(label='B'); data('tcp.new_sockets').publish(label='C'); data('udp.packets').publish(label='D'); data('udp.bytes').publish(label='E') \ * Metric Resolution 10000 -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2693,7 +2753,7 @@ asset_type = Kubernetes confidence = medium explanation = This search uses the Kubernetes logs from a nginx ingress controller to detect local file inclusion attacks. how_to_implement = You must ingest Kubernetes logs through Splunk Connect for Kubernetes. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1212"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -2703,7 +2763,7 @@ asset_type = Kubernetes confidence = medium explanation = This search uses the Kubernetes logs from a nginx ingress controller to detect remote file inclusion attacks. how_to_implement = You must ingest Kubernetes logs through Splunk Connect for Kubernetes. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1212"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -2713,7 +2773,7 @@ asset_type = Kubernetes confidence = medium explanation = The following analytic detects the creation of a Kubernetes node port service, an action that exposes a service to the external network. It identifies this behavior by monitoring Kubernetes Audit logs for creation of a Node Port service. This behavior is worth identifying for a SOC as it could potentially allow an attacker to access internal services, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to data breaches, service disruptions, or unauthorized access to sensitive information. how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2723,7 +2783,7 @@ asset_type = Kubernetes confidence = medium explanation = The following analytic detects the creation of pods in the default, kube-system, or kube-public namespaces. It identifies this behavior by monitoring Kubernetes audit logs for pod creation events in these namespaces. This behavior is worth identifying for a SOC as it may indicate an attacker attempting to hide their presence or evade defenses. Only administrators should typically create pods in the kube-system namespace, and the default and kube-public namespaces should not be used in production. The impact of the attack could be significant, as it may indicate a successful cluster breach and ongoing malicious activity. how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2733,7 +2793,7 @@ asset_type = Kubernetes confidence = medium explanation = The following analytic detects the creation of a pod with host network attachment in Kubernetes. It identifies this behavior by monitoring Kubernetes Audit logs for the creation or update of pods with host network configuration. This behavior is worth identifying for a SOC as it could potentially allow an attacker to listen to all network traffic on the node and other compute on the network namespace, capturing secrets passed in arguments or connections to escalate their privileges. The impact of such an attack could be severe, leading to unauthorized access to sensitive information, data breaches, and service disruptions. how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2754,7 +2814,7 @@ how_to_implement = To implement this detection, follow these steps: \ * Set the Metric Resolution to 10000.\ * Leave all other settings at their default values.\ * Run the Search Baseline Of Kubernetes Container Network IO Ratio -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2775,7 +2835,7 @@ how_to_implement = To implement this detection, follow these steps: \ * Set the Metric Resolution to 10000.\ * Leave all other settings at their default values.\ * Run the Search Baseline Of Kubernetes Container Network IO Ratio -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2796,7 +2856,7 @@ how_to_implement = To implement this detection, follow these steps: \ * Set the Metric Resolution to 10000.\ * Leave all other settings at their default values.\ * Run the Search Baseline Of Kubernetes Container Network IO Ratio -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2817,7 +2877,7 @@ how_to_implement = To implement this detection, follow these steps: \ * Set the Metric Resolution to 10000.\ * Leave all other settings at their default values.\ * Run the Search Baseline Of Kubernetes Container Network IO Ratio -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2838,7 +2898,7 @@ how_to_implement = To implement this detection, follow these steps: \ * Set the Metric Resolution to 10000.\ * Leave all other settings at their default values.\ * Run the Search Baseline Of Kubernetes Container Network IO Ratio -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2848,7 +2908,7 @@ asset_type = Kubernetes confidence = medium explanation = This search uses the Kubernetes logs from Splunk Connect from Kubernetes to detect Kubernetes Security Scanner. how_to_implement = You must ingest Kubernetes logs through Splunk Connect for Kubernetes. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -2858,7 +2918,7 @@ asset_type = Kubernetes confidence = medium explanation = This detection rule is designed to identify potential scanning activities within a Kubernetes environment. Scanning is a common preliminary step in an attack, where the attacker tries to gather information about the system to find potential vulnerabilities. In the context of Kubernetes, scanning could involve activities like unauthorized access attempts, probing public APIs, or trying to exploit known vulnerabilities. This rule triggers an alert when such suspicious activities are detected, helping to ensure the security of your Kubernetes infrastructure. how_to_implement = You must ingest Kubernetes audit logs. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1046"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1046"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2879,7 +2939,7 @@ how_to_implement = To implement this detection, follow these steps: \ * Set the Metric Resolution to 10000.\ * Leave all other settings at their default values.\ * Run the Search Baseline Of Kubernetes Container Network IO Ratio -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2900,7 +2960,7 @@ how_to_implement = To implement this detection, follow these steps: \ * Set the Metric Resolution to 10000.\ * Leave all other settings at their default values.\ * Run the Search Baseline Of Kubernetes Container Network IO Ratio -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2910,7 +2970,7 @@ asset_type = Kubernetes confidence = medium explanation = The following analytic detects instances of suspicious image pulling in Kubernetes. It identifies this behavior by monitoring Kubernetes audit logs for image pull requests that do not match a predefined list of allowed images. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to deploy malicious software or infiltrate the system. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2920,7 +2980,7 @@ asset_type = Kubernetes confidence = medium explanation = The following analytic detects unauthorized access to Kubernetes by monitoring Kubernetes audit logs. It identifies anomalies in access patterns by segmenting and analyzing the source of requests. Unauthorized access is worth identifying for a SOC as it could indicate an attacker attempting to infiltrate the system. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -2930,7 +2990,7 @@ asset_type = Office 365 confidence = medium explanation = This search is designed to detect the creation of a new Federation setting by alerting on a specific event associated with its creation. By monitoring for this event, the search can identify any instances where a Federation setting is being created within the system. This can help in detecting and monitoring any unauthorized or suspicious changes to the Federation settings, providing an additional layer of security for your environment. how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} known_false_positives = The creation of a new Federation is not necessarily malicious, however this events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider. providing_technologies = null @@ -2940,17 +3000,27 @@ asset_type = Office 365 confidence = medium explanation = The following analytic detects addition of new service principal accounts added to O365 tenants. Attackers can abuse service principals in Office 365 (now known as Microsoft 365) to gain unauthorized access and perform malicious actions within an organization's environment. Service principals are essentially non-human accounts used by applications, services, or scripts to access resources and interact with APIs on behalf of the organization. how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} known_false_positives = The creation of a new Federation is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider. providing_technologies = null +[savedsearch://ESCU - O365 Admin Consent Bypassed by Service Principal - Rule] +type = detection +asset_type = Office 365 +confidence = medium +explanation = This detection targets situations where a service principal in Office 365 Azure Active Directory assigns app roles without the standard admin consent, a potential security breach. Using o365_management_activity logs, it examines the 'Add app role assignment to service principal' operation, focusing on service principals and extracting details like role ID and description. This is critical for SOCs to detect potential bypassing of crucial administrative controls, which could lead to unauthorized access or privilege escalation. A true positive implies a service principal might be misusing automated processes to assign sensitive permissions. +how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} +known_false_positives = Service Principals are sometimes configured to legitimately bypass the consent process for purposes of automation. Filter as needed. +providing_technologies = null + [savedsearch://ESCU - O365 Advanced Audit Disabled - Rule] type = detection asset_type = Office 365 confidence = medium explanation = The following analytic identifies instances where the O365 advanced audit is disabled for a specific user within the Office 365 tenant. It leverages O365 audit logs, specifically events related to audit license changes or modifications within the AzureActiveDirectory workloads. The O365 advanced audit provides granular logging and insights into user and administrator activities, making it a crucial tool for security monitoring and incident response. Disabling this audit for a user can blind security teams to potential malicious or unauthorized activities related to that user's mailbox or account. Attackers may disable these audits to obscure their actions and reduce the chances of detection. If an attacker successfully disables the O365 advanced audit for a user, they can operate within that user's mailbox or account with reduced risk of detection. This can lead to unauthorized data access, data exfiltration, account compromise, or other malicious activities without leaving a detailed audit trail. how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} known_false_positives = Administrators might temporarily disable the advanced audit for troubleshooting, performance reasons, or other administrative tasks. Filter as needed. providing_technologies = null @@ -2960,7 +3030,7 @@ asset_type = Office 365 confidence = medium explanation = The following analytic identifies instances where a new owner is assigned to an application registration within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in owner assignments within the AzureActiveDirectory workload for application registrations. Assigning a new owner to an application registration can grant significant control over the application's configuration, permissions, and behavior. An unauthorized or inadvertent change in ownership can lead to misuse of the application, potentially affecting data access, user permissions, or the application's interactions within the tenant. Monitoring for such changes ensures that only legitimate and authorized personnel have control over application registrations. If an attacker successfully assigns themselves or a compromised account as an owner to an application registration, they can modify the application's settings, permissions, and behavior. This can lead to unauthorized data access, escalation of privileges, or the introduction of malicious behavior within the application's operations how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} known_false_positives = Application owners may be added for legitimate reasons, filter as needed. providing_technologies = null @@ -2970,7 +3040,7 @@ asset_type = Office 365 confidence = medium explanation = The following analytic identifies the assignment of the ApplicationImpersonation role in Office 365, either to a user or an application. This analytic leverages the Office 365 Management Activity API, specifically monitoring for events related to role assignments and changes within the Azure Active Directory audit logs. The ApplicationImpersonation role allows a security principal to impersonate any user within the organization and perform actions on their behalf, such as accessing or modifying their mailbox. This role, if misused or granted inappropriately, can pose a significant security risk. Monitoring the assignment of this role is crucial as it can be an indicator of potential malicious activity or misconfigurations. If an attacker successfully assigns the ApplicationImpersonation role to a malicious user or application, they can gain the ability to impersonate any user within the organization. This can lead to unauthorized access to sensitive information, manipulation of mailbox data, and other malicious actions. The attacker can effectively masquerade as a legitimate user, making their actions harder to detect and potentially causing significant harm to the organization. how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"]} known_false_positives = While infrequent, the ApplicationImpersonation role may be granted for leigimate reasons, filter as needed. providing_technologies = null @@ -2980,7 +3050,7 @@ asset_type = O365 tenant confidence = medium explanation = This analytic detects when the "risk-based step-up consent" security setting in Microsoft 365 is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative "step-up" for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization. how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562"], "nist": ["DE.CM"]} known_false_positives = Legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization. providing_technologies = null @@ -2990,7 +3060,7 @@ asset_type = Office 365 confidence = medium explanation = This analytic identifies instances where new IP addresses are added to the trusted IPs list in Office 365, potentially allowing users from these IPs to bypass Multi-Factor Authentication (MFA) during login. The detection leverages O365 audit logs, specifically focusing on events related to the modification of trusted IP settings. By monitoring these logs, the analytic captures and alerts on any addition of new trusted IPs. Adding trusted IPs to bypass MFA is a significant security concern. While there might be legitimate reasons to add trusted IPs, such as for a new office location, there's also a risk of attackers or malicious insiders using this to facilitate unauthorized access. Monitoring for changes to the trusted IP list helps ensure that any attempt to bypass MFA is legitimate and authorized. If the detection is a true positive, it suggests that users logging in from the newly added trusted IP can bypass MFA, potentially weakening the security posture of the organization. This could lead to unauthorized access, especially if the IP was added maliciously. Immediate investigation is required to validate the legitimacy of the IP addition and to assess potential security implications. how_to_implement = You must install Splunk Microsoft Office 365 add-on. This search works with o365:management:activity -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} known_false_positives = Unless it is a special case, it is uncommon to continually update Trusted IPs to MFA configuration. providing_technologies = null @@ -3000,7 +3070,7 @@ asset_type = O365 confidence = medium explanation = The following analytic identies scenarios where the same user session is accessed from multiple IP addresses. This situation typically arises in an adversary-in-the-middle (AiTM) phishing attack, where attackers compromise user sessions. The detection method involves analyzing Azure Active Directory logs for 'UserLoggedIn' operations. It focuses on identifying sessions where the number of associated IP addresses exceeds one for the same SessionId. This pattern suggests potential unauthorized concurrent access, which is atypical under normal usage scenarios. If a true positive is identified, it implies that an adversary has gained unauthorized access to a user's Office 365 account. The ramifications of this can be significant, including data theft, account takeover, and launching of internal phishing campaigns. how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} known_false_positives = Unknown providing_technologies = null @@ -3010,7 +3080,7 @@ asset_type = Office 365 confidence = medium explanation = This analytic identifies instances where Multi-Factor Authentication (MFA) is disabled for a user within the Office 365 environment. Disabling MFA removes a critical security layer, making accounts more vulnerable to unauthorized access. The detection leverages O365 audit logs, specifically focusing on events related to MFA settings. By monitoring these logs, the analytic captures and alerts on any actions that result in the deactivation or disabling of MFA for a user. MFA is a cornerstone of modern security practices, providing an additional layer of protection beyond just a password. Disabling MFA, especially without a valid reason, poses a significant security risk. Attackers, after gaining initial access to an account, might disable MFA to ensure easier re-entry and persistence. Monitoring for such changes is crucial to detect potential security breaches and to ensure that security best practices are consistently applied. If the detection is a true positive, it indicates that a user's account is now at increased risk of unauthorized access, as the added security layer of MFA has been removed. This could be a sign of an attacker trying to maintain persistence or an insider threat. Immediate investigation is required to validate the reason for disabling MFA, potentially re-enable it, and assess any other suspicious activities related to the affected account. how_to_implement = You must install the Splunk Microsoft Office 365 add-on. This search works with o365:management:activity -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1556"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.CM"]} known_false_positives = Unless it is a special case, it is uncommon to disable MFA or Strong Authentication providing_technologies = null @@ -3020,7 +3090,7 @@ asset_type = Office 365 confidence = medium explanation = This search detects when an excessive number of authentication failures occur this search also includes attempts against MFA prompt codes how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} known_false_positives = The threshold for alert is above 10 attempts and this should reduce the number of false positives. providing_technologies = null @@ -3030,7 +3100,7 @@ asset_type = Office 365 confidence = medium explanation = The following analytic detects accounts with high number of Single Sign ON (SSO) logon errors. Excessive logon errors may indicate attempts to bruteforce of password or single sign on token hijack or reuse. how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1556"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.AE"]} known_false_positives = Logon errors may not be malicious in nature however it may indicate attempts to reuse a token or password obtained via credential access attack. providing_technologies = null @@ -3040,17 +3110,27 @@ asset_type = Office 365 tenant confidence = medium explanation = This analytic identifies instances where a user in the Office 365 environment grants consent to an application that requests file permissions, specifically targeting OneDrive or SharePoint. Such permissions mean the application could potentially access, modify, or delete files stored within these services. The detection process leverages O365 audit logs, particularly focusing on events related to OAuth application consents. By examining these logs, the analytic is designed to capture and alert on any actions where users grant consent to applications requesting file-related permissions for OneDrive or SharePoint. The sensitivity of file permissions, especially in platforms as widely utilized as OneDrive and SharePoint, cannot be overstated. While many legitimate applications might require such permissions to operate, there's an inherent risk with malicious or overly permissive applications. Attackers could craft or exploit applications to gain file permissions, aiming to access, exfiltrate, or manipulate sensitive data housed in OneDrive or SharePoint. It's crucial for security operations centers to monitor these consents to ensure that only trustworthy applications gain access and that users aren't inadvertently granting permissions to potentially harmful applications. If this detection flags a true positive, it indicates that an application has been granted permissions that could allow it to interact with OneDrive or SharePoint files in potentially malicious ways. Such actions could lead to data breaches, data loss, or unauthorized data manipulation. Immediate investigation would be required to validate the application's legitimacy, understand the nature of its requested permissions, and assess the potential risks associated with the access it's been granted. how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} known_false_positives = OAuth applications that require file permissions may be legitimate, investigate and filter as needed. providing_technologies = null +[savedsearch://ESCU - O365 FullAccessAsApp Permission Assigned - Rule] +type = detection +asset_type = Office 365 +confidence = medium +explanation = The following analytic triggers on the assignment of the 'full_access_as_app' permission to an application registration in Office 365, specifically within Exchange Online. The 'full_access_as_app' permission, identified by its GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', allows an application extensive control over Office 365 operations, including access to all mailboxes and the ability to send mail as any user. The analytic focuses on the ResourceAppId '00000002-0000-0ff1-ce00-000000000000', pinpointing permissions granted to the Office 365 Exchange Online resource. By analyzing Office 365 management activity logs and filtering Azure Active Directory workload events, the query detects when this specific permission is assigned. Monitoring this assignment is vital due to the broad access it provides, which can lead to unauthorized data access or exfiltration if misused. A true positive detection requires immediate attention to prevent potential security risks like account compromise or data loss. +how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.002", "T1098.003"], "nist": ["DE.CM"]} +known_false_positives = The full_access_as_app API permission may be assigned to legitimate applications. Filter as needed. +providing_technologies = null + [savedsearch://ESCU - O365 High Number Of Failed Authentications for User - Rule] type = detection asset_type = O365 tenant confidence = medium explanation = The following analytic identifies an O365 account that has experienced more than 20 failed authentication events within a span of 5 minutes. This could be indicative of an attacker attempting to brute force or guess the password for that particular user account. It leverages the O365 Unified Audit Logs, specifically the "UserLoginFailed" events. By monitoring the frequency and volume of these events for individual users, the analytic can flag accounts that exceed the set threshold of failed attempts within the defined timeframe. Multiple failed login attempts in a short period can be a strong indicator of malicious activity. While there could be benign reasons, such as a user forgetting their password, the rapid succession of failed attempts is often a sign of an attacker trying to gain unauthorized access. By detecting and alerting on this behavior, the SOC can quickly investigate and take appropriate action, potentially stopping an attack in its early stages. Given that environments differ across organizations, security teams should consider customizing the threshold of this detection to better suit their specific needs and risk profile. If an attacker successfully guesses or brute-forces a user's password after numerous attempts, they can gain unauthorized access to the O365 environment. This unauthorized access could allow them to view sensitive emails, documents, and other data. how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110", "T1110.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001"], "nist": ["DE.CM"]} known_false_positives = Although unusual, users who have lost their passwords may trigger this detection. Filter as needed. providing_technologies = null @@ -3060,7 +3140,7 @@ asset_type = Office 365 tenant confidence = medium explanation = This analytic detects when high-privilege roles, specifically "Exchange Administrator", "SharePoint Administrator", or "Global Administrator", are granted within Office 365. By monitoring O365 audit logs for events where these administrative roles are assigned to any user or service account, the analytic provides insight into critical role changes. The assignment of these roles is of paramount importance to Security Operations Centers (SOCs) as they grant extensive permissions, allowing for broad access and control over critical organizational resources and data. An unexpected or unauthorized role assignment could indicate potential malicious activity, insider threats, or misconfigurations. If an attacker or unauthorized individual is granted one of these roles, the potential impact includes gaining significant control over O365 resources, accessing, modifying, or deleting critical data, making configuration changes, and potentially compromising the overall security and functionality of the O365 environment. how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} known_false_positives = Privilege roles may be assigned for legitimate purposes, filter as needed. providing_technologies = null @@ -3070,7 +3150,7 @@ asset_type = Office 365 tenant confidence = medium explanation = The following analytic identifies instances where a user grants consent to an application that requests mail related permissions within the Office 365 environment. This could involve permissions to read, send, or manage mail settings. It leverages the O365 audit logs, specifically events related to application permissions and user consent actions. By filtering for mail-related permissions and user-granted consents, the analytic pinpoints potential security concerns. While many legitimate applications request mail permissions for valid reasons, malicious actors can exploit these permissions for data exfiltration, spear phishing, or other malicious activities. By monitoring for user-granted mail permissions, security teams can identify and review potentially risky consents, ensuring that only trusted applications have access to sensitive email data. If the detection is a true positive, it indicates that an application now has access to the users mail data as permitted. In the hands of a malicious actor, this could lead to unauthorized data access, email forwarding, or even the sending of malicious emails from the compromised account. Its crucial to validate the legitimacy of the application and the context of the consent to prevent potential data breaches or further malicious activities. how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} known_false_positives = OAuth applications that require mail permissions may be legitimate, investigate and filter as needed. providing_technologies = null @@ -3080,7 +3160,7 @@ asset_type = Office 365 Tenant confidence = medium explanation = The following analytic identifies instances where the inbox folder of a mailbox in Office 365 is shared with all users within the tenant. Sharing the inbox folder with all users is an unusual and risky configuration. Attackers have been known to exploit this setting to surreptitiously read a target user's emails from another account. Such unauthorized access can lead to data breaches, leakage of confidential information, or further compromise based on the information gathered from the emails. Monitoring for this configuration change ensures that inadvertent or malicious sharing is promptly identified and addressed. If an attacker successfully configures the inbox to be shared with all users, they can access and read all emails in the affected mailbox from any account within the tenant. This can lead to data exfiltration, spear-phishing attacks based on the information in the emails, or further malicious activities using sensitive information gathered from the mailbox. how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.CM"]} known_false_positives = Administrators might temporarily share a mailbox with all users for legitimate reasons, such as troubleshooting, migrations, or other administrative tasks. Some organizations use shared mailboxes for teams or departments where multiple users need access to the same mailbox. Filter as needed. providing_technologies = null @@ -3090,7 +3170,7 @@ asset_type = Office 365 tenant confidence = medium explanation = The following analytic identifies instances where the Mail.Read Graph API permissions are granted to an application registration within an Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in application permissions within the AzureActiveDirectory workload. The Mail.Read permission allows applications to access and read all emails within a user's mailbox. Emails often contain sensitive or confidential information, and unauthorized access can lead to data breaches or leakage. Monitoring the assignment of this permission ensures that only legitimate applications have such access and that any inadvertent or malicious assignments are promptly identified. If an attacker successfully grants this permission to a malicious or compromised application, they can read all emails in the affected mailboxes. This can lead to data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails. how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1114.002", "T1114", "T1098", "T1098.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1114.002", "T1114", "T1098", "T1098.003"], "nist": ["DE.CM"]} known_false_positives = There are legitimate scenarios in wich an Application registrations requires Mailbox read access. Filter as needed. providing_technologies = null @@ -3100,7 +3180,7 @@ asset_type = O365 tenant confidence = medium explanation = This analytic detects potential distributed password spraying attacks within an Office 365 environment. It identifies a significant increase in failed authentication attempts characterized by diverse user-and-IP address combinations, originating from multiple source IP addresses, and utilizing various user agents. These patterns may indicate an adversary's attempt to circumvent security controls by employing a spectrum of IP addresses to test commonly used passwords against a wide range of user accounts. The detection examines UserLoginFailed events from O365 Management Activity logs, with a particular focus on events with ErrorNumber 50126, which indicates a failed authentication due to incorrect credentials. By aggregating data over a five-minute interval, the analytic calculates the distinct counts of user-and-IP combinations and unique users and source IPs. It then applies a set of thresholds to these metrics to identify abnormal activities that could suggest a coordinated attack. The predefined thresholds within the analytic (such as unique IPs, unique users, etc.) serve as initial benchmarks and should be tailored to align with the organization's typical user behavior and risk tolerance. Early detection of such distributed activities is crucial for security operations centers (SOCs) to intercept unauthorized access attempts, avert account takeovers, and reduce the risk of subsequent malevolent actions within the organization's systems. A true positive alert from this analytic would indicate an ongoing distributed password spraying campaign targeting the organization's Office 365 tenant. If such an attack is successful, it could lead to unauthorized access, especially to accounts with administrative privileges, resulting in data breaches, privilege escalation, persistent threats, and lateral movement within the organization's digital environment. how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} known_false_positives = This detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of VPNs or cloud services that rotate IP addresses. Filter as needed. providing_technologies = null @@ -3110,7 +3190,7 @@ asset_type = Office 365 confidence = medium explanation = This analytic is crafted to identify unusual and potentially malicious authentication activity within an O365 environment. It triggers when a single user account is involved in more than 8 authentication attempts, using 3 or more unique application IDs and more than 5 unique user agents within a short timeframe. This pattern is atypical for regular user behavior and may indicate an adversary's attempt to probe the environment, testing for multi-factor authentication requirements across different applications and platforms. The detection is based on analysis of O365 audit logs, specifically focusing on authentication events. It employs statistical thresholds to highlight instances where the volume of authentication attempts and the diversity of application IDs and user agents associated with a single user account exceed normal parameters. Identifying this behavior is crucial as it provides an early indication of potential account compromise. Adversaries, once in possession of user credentials, often conduct reconnaissance to understand the security controls in place, including multi-factor authentication configurations. Tools like Invoke-MFASweep are commonly used for this purpose, automating the process of testing different user agents and application IDs to bypass MFA. By detecting these initial probing attempts, security teams can swiftly respond, potentially stopping an attack in its early stages and preventing further unauthorized access. This proactive stance is vital for maintaining the integrity of the organization's security posture. If validated as a true positive, this detection points to a compromised account, signaling that an attacker is actively attempting to navigate security controls to maintain access and potentially escalate privileges. This could lead to further exploitation, lateral movement within the network, and eventual data exfiltration. Recognizing and responding to this early stage of an attack is vital for preventing substantial harm and safeguarding sensitive organizational data and systems. how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} known_false_positives = Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives. providing_technologies = null @@ -3120,17 +3200,47 @@ asset_type = Office 365 tenant confidence = medium explanation = This analytic identifies potential "MFA fatigue" attacks targeting Office 365 users. Specifically, it detects scenarios where a user experiences more than nine Multi-Factor Authentication (MFA) prompts within a 10-minute timeframe. Attackers may exploit MFA fatigue by repeatedly triggering MFA requests, hoping that the user, out of frustration or oversight, will approve a malicious authentication attempt. The detection leverages O365 management activity logs, focusing on Azure Active Directory events. It looks for the UserLoginFailed operation combined with a Success ResultStatus and an ErrorNumber of 500121, which indicates MFA prompts. By monitoring these specific events and conditions, the analytic captures and alerts on potential MFA fatigue scenarios. With MFA being a cornerstone of modern cybersecurity defenses, attackers are constantly seeking ways to bypass or exploit it. MFA fatigue is one such tactic, where attackers rely on user frustration or confusion caused by frequent MFA prompts. Detecting potential MFA fatigue scenarios allows security teams to proactively investigate and ensure that users aren't inadvertently granting access to malicious actors. If this detection flags a true positive, it suggests a potential attempt by an attacker to exploit MFA mechanisms to gain unauthorized access to an O365 account. Successful exploitation could lead to data breaches, unauthorized data access, or further compromise within the O365 environment. Immediate investigation and response would be crucial to safeguard the affected account and assess the full scope of the potential breach. how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} known_false_positives = Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed. providing_technologies = null +[savedsearch://ESCU - O365 Multiple Mailboxes Accessed via API - Rule] +type = detection +asset_type = Office 365 tenant +confidence = medium +explanation = The following analytic is designed to trigger when a high number of Office 365 Exchange mailboxes are accessed via API (Microsoft Graph API or Exchange Web Services) in a short time, hinting at possible unauthorized mass email access. It tracks 'MailItemsAccessed' operations in Exchange, using AppId and regex to identify API interactions. Crucial for SOC teams, this analytic focuses on spotting abnormal access patterns, often signaling data exfiltration or account compromise. Security teams should tailor the threshold set here to flag over five unique mailboxes accessed within 10 minutes to align with their environment's norms, ensuring effective detection of potential security incidents while maintaining operational efficiency. +how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"]} +known_false_positives = Legitimate applications may access multiple mailboxes via an API. You can filter by the ClientAppId or the CLientIpAddress fields. +providing_technologies = null + +[savedsearch://ESCU - O365 Multiple Service Principals Created by SP - Rule] +type = detection +asset_type = Office 365 +confidence = medium +explanation = This detection aims to identify instances where a single service principal creates more than three unique OAuth applications within a 10-minute timeframe, using O365 logs from the Unified Audit Log. The focus is on tracking the 'Add service principal' operation within the Office 365 Azure Active Directory environment. The query effectively buckets events in 10-minute intervals, specifically scrutinizing the actions of service principals. By quantifying the number of distinct OAuth applications each service principal establishes, the analytic provides critical insights for SOC teams into potentially anomalous or malicious activities. These activities could include a compromised or malicious service principal being used to create multiple service principals, which might be indicative of an attempt to expand control or access within the network. Security teams are advised to adapt the threshold of three applications to align with their typical operational baseline +how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} +known_false_positives = Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. +providing_technologies = null + +[savedsearch://ESCU - O365 Multiple Service Principals Created by User - Rule] +type = detection +asset_type = Office 365 +confidence = medium +explanation = This detection is tailored to spot occurrences where a single user, rather than a service principal, creates more than three unique OAuth applications within a 10-minute window in the Office 365 environment. Utilizing O365 logs from the Unified Audit Log, it focuses on the 'Add service principal' operation in Azure Active Directory. The query segments events into 10-minute intervals, exclusively monitoring user activities. It calculates the number of distinct OAuth applications initiated by each user, providing SOC teams with essential data for identifying potential security threats. Such activity could suggest that a user account is either compromised or engaged in unauthorized activities, potentially setting the stage for broader network infiltration or privilege escalation. It's important for security teams to adjust the threshold of three applications to fit their operational context. +how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} +known_false_positives = Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. +providing_technologies = null + [savedsearch://ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule] type = detection asset_type = Office 365 tenant confidence = medium explanation = This analytic identifies instances where multiple users (more than 10 unique accounts) have failed to authenticate from a single IP address within a short time span (5 minutes). Such a pattern can be indicative of malicious activities, such as brute-force attacks or password spraying attempts. The detection leverages O365 audit logs, specifically focusing on Azure Active Directory login failures (AzureActiveDirectoryStsLogon). By aggregating these failures based on the source IP address and time, the analytic captures patterns where multiple unique user accounts have authentication failures from the same IP within a 5-minute window. Multiple authentication failures from a single IP address targeting various accounts can be a strong indicator of an attacker trying to gain unauthorized access. It could represent a brute-force attack, password spraying, or other malicious login attempts. Identifying and responding to such patterns promptly is crucial to prevent potential account compromises and unauthorized access to organizational resources. If the detection is a true positive, it suggests that an external entity is actively trying to breach the security by targeting multiple user accounts. While the attempts have been unsuccessful (as indicated by the login failures), it's a clear sign of malicious intent. Immediate action is required to block or monitor the suspicious IP, investigate the nature of the attempts, and potentially notify affected users to take precautionary measures like password changes or enabling multi-factor authentication. how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.CM"]} known_false_positives = A source Ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior. providing_technologies = null @@ -3140,7 +3250,7 @@ asset_type = Office 365 confidence = medium explanation = The following analytic identifies the addition of a new federated domain in an organization's Office 365 environment. This behavior is detected by analyzing the Office 365 management activity logs using the Splunk query o365_management_activity, specifically filtering for the Workload=Exchange and Operation="Add-FederatedDomain" parameters. The addition of a new federated domain can be a significant security concern, as it might indicate unauthorized changes or potential compromises within the Office 365 setup. Attackers, upon gaining sufficient privileges, could add a federated domain to establish a backdoor, bypass security measures, or exfiltrate data. Such unauthorized changes can lead to data breaches, unauthorized access to sensitive data, and potential compromise of organizational infrastructure. When this analytic is triggered, immediate steps should include reviewing the details of the added federated domain, such as the organization name, originating server, user ID, and user key. Concurrent processes or other indicators of compromise should also be investigated to pinpoint the source of the potential breach. how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} known_false_positives = The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider. providing_technologies = null @@ -3150,17 +3260,47 @@ asset_type = Office 365 tenant confidence = medium explanation = This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Office 365 by monitoring O365 audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account. how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} known_false_positives = Users may register MFA methods legitimally, investigate and filter as needed. providing_technologies = null +[savedsearch://ESCU - O365 OAuth App Mailbox Access via EWS - Rule] +type = detection +asset_type = Office 365 tenant +confidence = medium +explanation = The following analytic detects when emails are accessed in Office 365 Exchange via Exchange Web Services (EWS), as indicated by the ClientInfoString field starting with "Client=WebServices;ExchangeWebServices". It monitors mailbox activities, focusing on OAuth-authenticated applications that interact with EWS. The query aggregates key metrics such as access counts, timing, and client IP addresses, categorized by user, ClientAppId, OperationCount, and AppId. For defenders, it is critical to keep track of OAuth applications using EWS to access emails, as this information is instrumental in identifying and preventing potential abuse or unauthorized data access. +how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"]} +known_false_positives = OAuth applications may access mailboxes for legitimate purposes, you can use the src_ip to add trusted sources to an allow list. +providing_technologies = null + +[savedsearch://ESCU - O365 OAuth App Mailbox Access via Graph API - Rule] +type = detection +asset_type = Office 365 tenant +confidence = medium +explanation = This Splunk analytic detects when emails are accessed in Office 365 Exchange via the Microsoft Graph API, identified by the client ID '00000003-0000-0000-c000-000000000000'. It tracks the 'MailItemsAccessed' operation within the Exchange workload, focusing on OAuth-authenticated applications. The query compiles statistics on access frequency, timing, and client IP addresses, organized by user, client application ID, and AppId. For defenders, it's crucial to maintain an inventory of all OAuth applications that read emails, using this data to scrutinize and identify any potential abusive access patterns. +how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"]} +known_false_positives = OAuth applications may access mailboxes for legitimate purposes, you can use the ClientAppId to add trusted applications to an allow list. +providing_technologies = null + +[savedsearch://ESCU - O365 Privileged Graph API Permission Assigned - Rule] +type = detection +asset_type = Office 365 tenant +confidence = medium +explanation = This Splunk analytic detects the assignment of critical Graph API permissions in Azure AD using O365 Unified Audit Log as its data source. It focuses on three permissions, Application.ReadWrite.All (Entitlement ID 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions, crucial for controlling Azure AD settings, pose a high risk if misused. The query monitors Azure Active Directory workload events in the Office 365 Management Activity, specifically 'Update application' operations. It extracts and analyzes data to spot when these permissions are granted, gathering details about the user, object, and user agent involved. Due to the significant control these permissions provide, immediate investigation is crucial upon detection to prevent unauthorized modifications. +how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} +known_false_positives = Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed. +providing_technologies = null + [savedsearch://ESCU - O365 PST export alert - Rule] type = detection asset_type = Office 365 confidence = medium explanation = This analytic detects instances where a user has initiated an eDiscovery search or exported a PST file from the search results in an Office 365 environment. The detection leverages the Office 365 management activity logs, specifically filtering for events categorized under ThreatManagement with the name eDiscovery search started or exported. The initiation of an eDiscovery search or the export of a PST file can be indicative of data exfiltration attempts or unauthorized access to sensitive information. PST files often contain a wealth of sensitive data, including the content of emails. Monitoring for such activities is crucial as they can expose sensitive organizational communications and data. If confirmed as a malicious activity, it suggests that an attacker or insider threat is attempting to gather or exfiltrate data. This can lead to data breaches, loss of intellectual property, or unauthorized access to confidential communications. Immediate investigation is required to determine the scope and intent of the activity and to take appropriate remedial actions. how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1114"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114"], "nist": ["DE.CM"]} known_false_positives = PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored. providing_technologies = null @@ -3170,7 +3310,7 @@ asset_type = Office 365 confidence = medium explanation = The following analytic identifies the addition of new credentials for Service Principals in addition to existing legitimate credentials within a Office 365 tenant. These credentials include both x509 certificates and passwords. It leverages O365 audit logs, specifically events related to credential modifications or additions within the AzureActiveDirectory workload for service principals. Service principals represent application identities in Office 365 / AzureAD, and their credentials allow applications to authenticate and access resources. Adding new credentials or modifying existing ones can be an indication of configuration changes, but it can also be a sign of malicious intent If an attacker successfully adds or modifies credentials for a service principal, they can potentially use those credentials to authenticate as the application, gaining access to resources and data the application is permitted to access. This can lead to unauthorized data access, data exfiltration, or malicious operations performed under the guise of the application how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} known_false_positives = Service Principal client credential modifications may be part of legitimate administrative operations. Filter as needed. providing_technologies = null @@ -3180,7 +3320,7 @@ asset_type = Office 365 confidence = medium explanation = This search detects when an admin configured a forwarding rule for multiple mailboxes to the same destination. how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -3190,7 +3330,7 @@ asset_type = Office 365 confidence = medium explanation = This analytic identifies instances where potentially suspicious rights are delegated within the Office 365 environment. Specifically, it detects when a user is granted FullAccess, SendAs, or SendOnBehalf permissions on another user's mailbox. Such permissions can allow a user to access, send emails from, or send emails on behalf of the target mailbox. The detection leverages O365 audit logs, focusing on the Add-MailboxPermission operation. By parsing the parameters of this operation, the analytic filters for events where FullAccess, SendAs, or SendOnBehalf rights are granted. It then aggregates this data to capture the source user (who was granted the permissions), the destination user (whose mailbox was affected), the specific operation, and the type of access rights granted. Delegating mailbox rights, especially those as powerful as FullAccess, can pose significant security risks. While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executive's mailbox, there are also malicious scenarios where an attacker or a compromised insider might grant themselves unauthorized access to sensitive mailboxes. Monitoring for these permissions changes is crucial to detect potential insider threats, compromised accounts, or other malicious activities.If the detection is a true positive, it indicates that a user has been granted potentially high-risk permissions on another user's mailbox. This could lead to unauthorized access to sensitive emails, impersonation through sending emails as or on behalf of the mailbox owner, or data manipulation by altering or deleting emails. Immediate investigation is required to validate the legitimacy of the permission change and to assess the potential risks associated with the granted access. how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1114.002", "T1114", "T1098.002", "T1098"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1114.002", "T1114", "T1098.002", "T1098"], "nist": ["DE.CM"]} known_false_positives = While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executive's mailbox, there are also malicious scenarios. Investigate and filter as needed. providing_technologies = null @@ -3200,7 +3340,7 @@ asset_type = Office 365 confidence = medium explanation = The following analytic detects when multiple users have configured a forwarding rule to the same destination to proactively identify and investigate potential security risks related to email forwarding and take appropriate actions to protect the organization's data and prevent unauthorized access or data breaches. This detection is made by a Splunk query to O365 management activity logs with the operation `Set-Mailbox` to gather information about mailbox configurations. Then, the query uses the `spath` function to extract the parameters and rename the "Identity" field as "src_user" and searches for entries where the "ForwardingSmtpAddress" field is not empty, which indicates the presence of a forwarding rule. Next, the analytic uses the `stats` command to group the results by the forwarding email address and count the number of unique source users (`src_user`). Finally, it filters the results and only retains entries where the count of source users (`count_src_user`) is greater than 1, which indicates that multiple users have set up forwarding rules to the same destination. This detection is important because it suggests that multiple users are forwarding emails to the same destination without proper authorization, which can lead to the exposure of sensitive information, loss of data control, or unauthorized access to confidential emails. Investigating and addressing this issue promptly can help prevent data breaches and mitigate potential damage.indicates a potential security risk since multiple users forwarding emails to the same destination can be a sign of unauthorized access, data exfiltration, or a compromised account. Additionally, it also helps to determine if the forwarding rules are legitimate or if they indicate a security incident. False positives can occur if there are legitimate reasons for multiple users to forward emails to the same destination, such as a shared mailbox or a team collaboration scenario. Next steps include further investigation and context analysis to determine the legitimacy of the forwarding rules. how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -3210,7 +3350,7 @@ asset_type = Office 365 confidence = medium explanation = The following analytic identifies instances where admin consent is granted to an application within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to the admin consent action within the AzureActiveDirectory workload. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} known_false_positives = Legitimate applications may be granted tenant wide consent, filter as needed. providing_technologies = null @@ -3220,7 +3360,7 @@ asset_type = Office 365 tenant confidence = medium explanation = The following analytic identifies instances where Office 365 has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where O365's built-in security measures have intervened. Applications that are flagged and blocked by O365 typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures. how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} known_false_positives = Microsofts algorithm to identify risky applications is unknown and may flag legitimate applications. providing_technologies = null @@ -3230,7 +3370,7 @@ asset_type = Office 365 tenant confidence = medium explanation = The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Office 365 environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access. how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} known_false_positives = OAuth applications that require mail permissions may be legitimate, investigate and filter as needed. providing_technologies = null @@ -3240,7 +3380,7 @@ asset_type = Amazon Elastic Container Registry confidence = medium explanation = The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. how_to_implement = Ensure that all relevant detections in the Dev Sec Ops analytic stories are enabled and are configured to create risk events in Enterprise Security. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} known_false_positives = Unknown providing_technologies = null @@ -3250,7 +3390,7 @@ asset_type = AWS Instance confidence = medium explanation = This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} known_false_positives = Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -3260,7 +3400,7 @@ asset_type = AWS Instance confidence = medium explanation = This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel. how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} known_false_positives = Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -3270,7 +3410,7 @@ asset_type = AWS Instance confidence = medium explanation = This search looks for AWS CloudTrail events where an abnormally high number of instances were successfully terminated by a user in a 10-minute window. This search is deprecated and have been translated to use the latest Change Datamodel. how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} known_false_positives = Many service accounts configured with your AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify whether this search alerted on a human user. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -3280,7 +3420,7 @@ asset_type = AWS Instance confidence = medium explanation = This search looks for AWS CloudTrail events where a user successfully terminates an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel. how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} known_false_positives = Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -3290,7 +3430,7 @@ asset_type = AWS Instance confidence = medium explanation = This search looks for AWS provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\ This search will fire any time a new city is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your city, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -3301,7 +3441,7 @@ asset_type = AWS Instance confidence = medium explanation = This search looks for AWS provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\ This search will fire any time a new country is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -3323,7 +3463,7 @@ asset_type = AWS Instance confidence = medium explanation = This search looks for AWS provisioning activities from previously unseen regions. Region in this context is similar to a state in the United States. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} known_false_positives = This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\ This search will fire any time a new region is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your region, there should be few false positives. If you are located in regions where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -3346,7 +3486,7 @@ explanation = This search allows you to identify the endpoints that have connect how_to_implement = This search requires that DNS data is being ingested and populating the `Network_Resolution` data model. This data can come from DNS logs or from solutions that parse network traffic for this data, such as Splunk Stream or Bro.\ This search produces fields (`dest_count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\n1. **Label:** Distinct DNS Connections, **Field:** dest_count\ Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} known_false_positives = It's possible that an enterprise has more than five DNS servers that are configured in a round-robin rotation. Please customize the search, as appropriate. providing_technologies = null @@ -3364,9 +3504,9 @@ providing_technologies = ["Amazon Web Services - Cloudtrail"] type = detection asset_type = AWS Account confidence = medium -explanation = The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. +explanation = This search has been deprecated and updated with Risk Rule for Dev Sec Ops by Repository detection. The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. how_to_implement = For Dev Sec Ops POC -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -3376,7 +3516,7 @@ asset_type = AWS Account confidence = medium explanation = The following analytic detects the correlation between the user and risk score and identifies users with a high risk score that pose a significant security risk such as unauthorized access attempts, suspicious behavior, or potential insider threats. Next, the analytic calculates the sum of the risk scores and groups the results by user, the corresponding signals, and the repository. The results are sorted in descending order based on the risk score and filtered to include records with a risk score greater than 80. Finally, the results are passed through a correlation filter specific to the user and risk. This detection is important because it identifies users who have a high risk score and helps to prioritize investigations and allocate resources. False positives might occur but the impact of such an attack can vary depending on the specific scenario such as data exfiltration, system compromise, or the disruption of critical services. Please investigate this notable event. how_to_implement = For Dev Sec Ops POC -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -3386,7 +3526,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts at using the Pass-the-Hash technique. This search is DEPRECATED as it is possible for event code 4624 to generate a high level of noise, as legitimate logon events may also trigger this event code. This can be especially true in environments with high levels of user activity, such as those with many concurrent logons or frequent logon attempts. how_to_implement = To successfully implement this search, you must ingest your Windows Security Event logs and leverage the latest TA for Windows. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1550", "T1550.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.002"], "nist": ["DE.AE"]} known_false_positives = Legitimate logon activity by authorized NTLM systems may be detected by this search. Please investigate as appropriate. providing_technologies = ["Microsoft Windows"] @@ -3418,7 +3558,7 @@ This search produces fields (`eventName`,`firstTime`,`lastTime`) that are not ye 1. \ 1. **Label:** Last Time, **Field:** lastTime\ Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} known_false_positives = It's likely that you'll find activity detected by users/service accounts that are not listed in the `identity_lookup_expanded` or ` aws_service_accounts.csv` file. If the user is a legitimate service account, update the `aws_service_accounts.csv` table with that entry. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -3432,7 +3572,7 @@ how_to_implement = You need to ingest data from your DNS logs in the Network_Res If Splunk>Phantom is also configured in your environment, a Playbook called `Lets Encrypt Domain Investigate` can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \ (Playbook link:`https://my.phantom.us/4.2/playbook/lets-encrypt-domain-investigate/`).\ -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1566.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.003"], "nist": ["DE.CM"]} known_false_positives = If a known good domain is not listed in the legit_domains.csv file, then the search could give you false postives. Please update that lookup file to filter out DNS requests to legitimate domains. providing_technologies = null @@ -3442,7 +3582,7 @@ asset_type = Endpoint confidence = medium explanation = This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic. Deprecated because this detection should focus on DNS queries instead of DNS responses. how_to_implement = To successfully implement this search you need to ingest data from your DNS logs, or monitor DNS traffic using Stream, Bro or something similar. Specifically, this query requires that the DNS data model is populated with information regarding the DNS record type that is being returned as well as the data in the answer section of the protocol. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} known_false_positives = It's possible that legitimate TXT record responses can be long enough to trigger this search. You can modify the packet threshold for this search to help mitigate false positives. providing_technologies = null @@ -3452,7 +3592,7 @@ asset_type = Windows confidence = medium explanation = This search looks for reading loaded Images unique to credential dumping with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code. how_to_implement = This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 7 with powershell.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} known_false_positives = Other tools can import the same DLLs. These tools should be part of a whitelist. False positives may be present with any process that authenticates or uses credentials, PowerShell included. Filter based on parent process. providing_technologies = null @@ -3462,7 +3602,7 @@ asset_type = Windows confidence = medium explanation = This search looks for PowerShell requesting privileges consistent with credential dumping. Deprecated, looks like things changed from a logging perspective. how_to_implement = You must be ingesting Windows Security logs. You must also enable the account change auditing here: http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/MonitorWindowseventlogdata. Additionally, this search requires you to enable your Group Management Audit Logs in your Local Windows Security Policy and to be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/. Finally, please make sure that the local administrator group name is "Administrators" to be able to look for the right group membership changes. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} known_false_positives = The activity may be legitimate. PowerShell is often used by administrators to perform various tasks, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise. providing_technologies = ["Microsoft Windows"] @@ -3472,7 +3612,7 @@ asset_type = AWS Instance confidence = medium explanation = This search detects new API calls that have either never been seen before or that have not been seen in the previous hour, where the identity type is `AssumedRole`. how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously seen API call per user roles in AWS CloudTrail" support search once to create a history of previously seen user roles. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} known_false_positives = It is possible that there are legitimate user roles making new or infrequently used API calls in your infrastructure, causing the search to trigger. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -3482,7 +3622,7 @@ asset_type = AWS Instance confidence = medium explanation = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour. Deprecated now this search is updated to use the Authentication datamodel. how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Run the "Previously seen users in AWS CloudTrail" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run "Update previously seen users in AWS CloudTrail" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} known_false_positives = When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -3498,7 +3638,7 @@ This search produces fields (`eventName`,`numberOfApiCalls`,`uniqueApisCalled`) 1. \ 1. **Label:** Unique API Calls, **Field:** uniqueApisCalled\ Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} known_false_positives = providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -3508,7 +3648,7 @@ asset_type = AWS Instance confidence = medium explanation = This search will detect users creating spikes in API activity related to network access-control lists (ACLs)in your AWS environment. This search is deprecated and have been translated to use the latest Change Datamodel. how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of Network ACL Activity by ARN" support search once to create a lookup file of previously seen Network ACL Activity. To add or remove API event names related to network ACLs, edit the macro `network_acl_events`. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1562.007"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007"], "nist": ["DE.AE"]} known_false_positives = The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Please modify this according the your environment. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -3518,7 +3658,7 @@ asset_type = AWS Instance confidence = medium explanation = This search will detect users creating spikes in API activity related to security groups in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel. how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.This search works best when you run the "Baseline of Security Group Activity by ARN" support search once to create a history of previously seen Security Group Activity. To add or remove API event names for security groups, edit the macro `security_group_api_calls`. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} known_false_positives = Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -3540,7 +3680,7 @@ explanation = This search looks for web connections to dynamic DNS providers. how_to_implement = This search requires you to be ingesting web-traffic logs. You can obtain these logs from indexing data from a web proxy or by using a network-traffic-analysis tool, such as Bro or Splunk Stream. The web data model must contain the URL being requested, the IP address of the host initiating the request, and the destination IP. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of dynamic DNS providers. Consider periodically updating this local lookup file with new domains.\ This search produces fields (`isDynDNS`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\n1. **Label:** IsDynamicDNS, **Field:** isDynDNS\ Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` Deprecated because duplicate. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1071.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.001"], "nist": ["DE.CM"]} known_false_positives = It is possible that list of dynamic DNS providers is outdated and/or that the URL being requested is legitimate. providing_technologies = null @@ -3551,7 +3691,7 @@ confidence = medium explanation = This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting an unusually large volume of DNS traffic. \ NOTE:Deprecated because existing detection is doing the same. This detection is replaced with two other variations, if you are using MLTK then you can use this search `ESCU - DNS Query Length Outliers - MLTK - Rule` or use the standard deviation version `ESCU - DNS Query Length With High Standard Deviation - Rule`, as an alternantive. how_to_implement = To successfully implement this search, we must ensure that DNS data is being ingested and mapped to the appropriate fields in the Network_Resolution data model. Fields like src_category are automatically provided by the Assets and Identity Framework shipped with Splunk Enterprise Security. You will need to ensure you are using the Assets and Identity Framework and populating the src_category field. You will also need to enable the `cim_corporate_web_domain_search()` macro which will essentially filter out the DNS queries made to the corporate web domains to reduce alert fatigue. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} known_false_positives = It's possible that normal DNS traffic will exhibit this behavior. If an alert is generated, please investigate and validate as appropriate. The threshold can also be modified to better suit your environment. providing_technologies = null @@ -3561,7 +3701,7 @@ asset_type = Endpoint confidence = medium explanation = This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework. how_to_implement = To successfully implement this search you will need to ensure that DNS data is populating the Network_Resolution data model. It also requires that your DNS servers are identified correctly in the Assets and Identity table of Enterprise Security. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1071.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004"], "nist": ["DE.CM"]} known_false_positives = Legitimate DNS activity can be detected in this search. Investigate, verify and update the list of authorized DNS servers as appropriate. providing_technologies = null @@ -3575,7 +3715,7 @@ how_to_implement = To successfully implement this search you will need to ensure If Splunk>Phantom is also configured in your environment, a Playbook called "DNS Hijack Enrichment" can be configured to run when any results are found by this detection search. The playbook takes in the DNS record changed and uses Geoip, whois, Censys and PassiveTotal to detect if DNS issuers changed. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \ (Playbook Link:`https://my.phantom.us/4.2/playbook/dns-hijack-enrichment/`).\ -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1071.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004"], "nist": ["DE.CM"]} known_false_positives = Legitimate DNS changes can be detected in this search. Investigate, verify and update the list of provided current answers for the domains in question as appropriate. providing_technologies = null @@ -3586,7 +3726,7 @@ confidence = medium explanation = Detect a renamed instance of procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. Modify the query as needed.\ During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.AE"]} known_false_positives = None identified. providing_technologies = null @@ -3596,7 +3736,7 @@ asset_type = AWS Instance confidence = medium explanation = This search looks for EC2 instances being modified by users who have not previously modified them. This search is deprecated and have been translated to use the latest Change Datamodel. how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Launches By User" support search once to create a history of previously seen ARNs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} known_false_positives = It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -3606,7 +3746,7 @@ asset_type = AWS Instance confidence = medium explanation = This search looks for AWS CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Run the "Previously seen AWS Regions" support search only once to create of baseline of previously seen regions. This search is deprecated and have been translated to use the latest Change Datamodel. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} known_false_positives = It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -3636,7 +3776,7 @@ asset_type = AWS Instance confidence = medium explanation = This search looks for EC2 instances being created by users who have not created them before. This search is deprecated and have been translated to use the latest Change Datamodel. how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Launches By User" support search once to create a history of previously seen ARNs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} known_false_positives = It's possible that a user will start to create EC2 instances when they haven't before for any number of reasons. Verify with the user that is launching instances that this is the intended behavior. providing_technologies = ["Amazon Web Services - Cloudtrail"] @@ -3646,7 +3786,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for processes launched from files with at least five spaces in the name before the extension. This is typically done to obfuscate the file extension by pushing it outside of the default view. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1036.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.003"], "nist": ["DE.CM"]} known_false_positives = None identified. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -3666,7 +3806,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for command-line arguments that use a `/c` parameter to execute a command that has not previously been seen. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.001", "T1059.003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059.003"], "nist": ["DE.AE"]} known_false_positives = Legitimate programs can also use command-line arguments to execute. Please verify the command-line arguments to check what command/program is being executed. We recommend customizing the `first_time_seen_cmd_line_filter` macro to exclude legitimate parent_process_name providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -3676,7 +3816,7 @@ asset_type = GCP Account confidence = medium explanation = This search provides detection of accounts with high risk roles by projects. Compromised accounts with high risk roles can move laterally or even scalate privileges at different projects depending on organization schema. how_to_implement = You must install splunk GCP add-on. This search works with gcp:pubsub:message logs -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} known_false_positives = Accounts with high risk roles should be reduced to the minimum number needed, however specific tasks and setups may be simply expected behavior within organization providing_technologies = null @@ -3686,7 +3826,7 @@ asset_type = GCP Account confidence = medium explanation = This search provides detection of high risk permissions by resource and accounts. These are permissions that can allow attackers with compromised accounts to move laterally and escalate privileges. how_to_implement = You must install splunk GCP add-on. This search works with gcp:pubsub:message logs -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} known_false_positives = High risk permissions are part of any GCP environment, however it is important to track resource and accounts usage, this search may produce false positives. providing_technologies = null @@ -3696,7 +3836,7 @@ asset_type = GCP Account confidence = medium explanation = This search provides detection of possible GCP Oauth token abuse. GCP Oauth token without time limit can be exfiltrated and reused for keeping access sessions alive without further control of authentication, allowing attackers to access and move laterally. how_to_implement = You must install splunk GCP add-on. This search works with gcp:pubsub:message logs -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} known_false_positives = GCP Oauth token abuse detection will only work if there are access policies in place along with audit logs. providing_technologies = null @@ -3706,7 +3846,7 @@ asset_type = GCP Kubernetes cluster confidence = medium explanation = This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster how_to_implement = You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. You must also install Cloud Infrastructure data model.Customize the macro kubernetes_gcp_scan_fingerprint_attack_detection to filter out FPs. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} known_false_positives = Not all unauthenticated requests are malicious, but frequency, User Agent and source IPs will provide context. providing_technologies = null @@ -3716,7 +3856,7 @@ asset_type = Domain Server confidence = medium explanation = This detection search will help profile user accounts in your environment by identifying newly created accounts that have been added to your network in the past week. how_to_implement = To successfully implement this search, you need to be populating the Enterprise Security Identity_Management data model in the assets and identity framework. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.002"], "nist": ["DE.AE"]} known_false_positives = If the Identity_Management data model is not updated regularly, this search could give you false positive alerts. Please consider this and investigate appropriately. providing_technologies = null @@ -3730,6 +3870,16 @@ annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} known_false_positives = Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness. providing_technologies = null +[savedsearch://ESCU - Kubernetes AWS detect RBAC authorization by account - Rule] +type = detection +asset_type = AWS EKS Kubernetes cluster +confidence = medium +explanation = This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences +how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs +annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} +known_false_positives = Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted. +providing_technologies = null + [savedsearch://ESCU - Kubernetes AWS detect sensitive role access - Rule] type = detection asset_type = AWS EKS Kubernetes cluster @@ -3826,7 +3976,7 @@ asset_type = Azure AKS Kubernetes cluster confidence = medium explanation = This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster in Azure how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} known_false_positives = Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context. providing_technologies = null @@ -3926,7 +4076,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for processes launching netsh.exe to execute various commands via the netsh command-line utility. Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper .dll when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe that are executing commands via the command line. Deprecated because we have another detection of the same type. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004"], "nist": ["DE.CM"]} known_false_positives = It is unusual for netsh.exe to have any child processes in most environments. It makes sense to investigate the child process and verify whether the process spawned is legitimate. We explicitely exclude "C:\Program Files\rempl\sedlauncher.exe" process path since it is a legitimate process by Mircosoft. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -3946,7 +4096,7 @@ asset_type = confidence = medium explanation = The search looks for command-line arguments used to hide a file or directory using the reg add command. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1564.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.001"], "nist": ["DE.CM"]} known_false_positives = None at the moment providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -3966,7 +4116,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for flags passed to schtasks.exe on the command-line that indicate that task names related to the execution of Bad Rabbit ransomware were created or deleted. Deprecated because we already have a similar detection how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} known_false_positives = No known false positives providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -3996,7 +4146,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for changes to registry values that control Windows file associations, executed by a process that is not typical for legitimate, routine changes to this area. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.001"], "nist": ["DE.CM"]} known_false_positives = There may be other processes in your environment that users may legitimately use to modify file associations. If this is the case and you are finding false positives, you can modify the search to add those processes as exceptions. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4006,7 +4156,7 @@ asset_type = Endpoint confidence = medium explanation = This detection looks for emails that are suspicious because of their sender, domain rareness, or behavior differences. This is an anomaly generated by Splunk User Behavior Analytics (UBA). how_to_implement = You must be ingesting data from email logs and have Splunk integrated with UBA. This anomaly is raised by a UBA detection model called "SuspiciousEmailDetectionModel." Ensure that this model is enabled on your UBA instance. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} known_false_positives = This detection model will alert on any sender domain that is seen for the first time. This could be a potential false positive. The next step is to investigate and add the URL to an allow list if you determine that it is a legitimate sender. providing_technologies = null @@ -4026,7 +4176,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for PowerShell processes started with a base64 encoded command-line passed to it, with parameters to modify the execution policy for the process, and those that prevent the display of an interactive prompt to the user. This combination of command-line options is suspicious because it overrides the default PowerShell execution policy, attempts to hide itself from the user, and passes an encoded script to be run on the command-line. Deprecated because almost the same as Malicious PowerShell Process - Encoded Command how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001"], "nist": ["DE.CM"]} known_false_positives = Legitimate process can have this combination of command-line options, but it's not common. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4036,7 +4186,7 @@ asset_type = Endpoint confidence = medium explanation = The following hunting analytic identifies renamed instances of rundll32.exe executing. rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, validate it is the legitimate rundll32.exe executing and what script content it is loading. This query relies on the original filename or internal name from the PE meta data. Expand the query as needed by looking for specific command line arguments outlined in other analytics. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1036", "T1218.011", "T1036.003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1036", "T1218.011", "T1036.003"], "nist": ["DE.AE"]} known_false_positives = Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4046,7 +4196,7 @@ asset_type = Windows confidence = medium explanation = This search detects writes to the 'System Volume Information' folder by something other than the System process. how_to_implement = You need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} known_false_positives = It is possible that other utilities or system processes may legitimately write to this folder. Investigate and modify the search to include exceptions as appropriate. providing_technologies = null @@ -4056,7 +4206,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for applications on the endpoint that you have marked as uncommon. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1204.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.002"], "nist": ["DE.AE"]} known_false_positives = None identified providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4066,7 +4216,7 @@ asset_type = Windows confidence = medium explanation = This search detects loading of unsigned images by LSASS. Deprecated because too noisy. how_to_implement = This search needs Sysmon Logs with a sysmon configuration, which includes EventCode 7 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} known_false_positives = Other tools could load images into LSASS for legitimate reason. But enterprise tools should always use signed DLLs. providing_technologies = null @@ -4086,7 +4236,7 @@ asset_type = Account confidence = medium explanation = This search is used to identify the creation of multiple user accounts using the same email domain name. how_to_implement = We start with a dataset that provides visibility into the email address used for the account creation. In this example, we are narrowing our search down to the single web page that hosts the Magento2 e-commerce platform (via URI) used for account creation, the single http content-type to grab only the user's clicks, and the http field that provides the username (form_data), for performance reasons. After we have the username and email domain, we look for numerous account creations per email domain. Common data sources used for this detection are customized Apache logs or Splunk Stream. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1136"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136"], "nist": ["DE.CM"]} known_false_positives = As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamolous behavior. This search will need to be customized to fit your environment—improving its fidelity by counting based on something much more specific, such as a device ID that may be present in your dataset. Consideration for whether the large number of registrations are occuring from a first-time seen domain may also be important. Extending the search window to look further back in time, or even calculating the average per hour/day for each email domain to look for an anomalous spikes, will improve this search. You can also use Shannon entropy or Levenshtein Distance (both courtesy of URL Toolbox) to consider the randomness or similarity of the email name or email domain, as the names are often machine-generated. providing_technologies = null @@ -4096,7 +4246,7 @@ asset_type = account confidence = medium explanation = This search is used to examine web sessions to identify those where the clicks are occurring too quickly for a human or are occurring with a near-perfect cadence (high periodicity or low standard deviation), resembling a script driven session. how_to_implement = Start with a dataset that allows you to see clickstream data for each user click on the website. That data must have a time stamp and must contain a reference to the session identifier being used by the website. This ties the clicks together into clickstreams. This value is usually found in the http cookie. With a bit of tuning, a version of this search could be used in high-volume scenarios, such as scraping, crawling, application DDOS, credit-card testing, account takeover, etc. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} known_false_positives = As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosly written detections that simply detect anamoluous behavior. providing_technologies = null @@ -4116,7 +4266,7 @@ asset_type = Endpoint confidence = medium explanation = The search looks for the Console Window Host process (connhost.exe) executed using the force flag -ForceV1. This is not regular behavior in the Windows OS and is often seen executed by the Ryuk Ransomware. DEPRECATED This event is actually seen in the windows 10 client of attack_range_local. After further testing we realized this is not specific to Ryuk. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003"], "nist": ["DE.CM"]} known_false_positives = This process should not be ran forcefully, we have not see any false positives for this detection providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4136,7 +4286,7 @@ asset_type = Network confidence = medium explanation = The analytic provided below employs the Network_Resolution datamodel to detect domain indicators associated with the 3CX supply chain attack. By leveraging this query, you can efficiently conduct retrospective analysis of your data to uncover potential compromises. how_to_implement = To successfully implement this search you need to be ingesting information into the `Network Resolution` datamodel in the `DNS` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA''s are installed. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1195.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002"], "nist": ["DE.CM"]} known_false_positives = False positives will be present for accessing the 3cx[.]com website. Remove from the lookup as needed. providing_technologies = null @@ -4146,7 +4296,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious 7z process with commandline pointing to SMB network share. This technique was seen in CONTI LEAK tools where it use 7z to archive a sensitive files and place it in network share tmp folder. This search is a good hunting query that may give analyst a hint why specific user try to archive a file pointing to SMB user which is un usual. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4156,7 +4306,7 @@ asset_type = Windows confidence = medium explanation = The following analytic detects the dumping of the LSASS process memory, which occurs during credential dumping attacks.The detection is made by using Sysmon logs, specifically EventCode 10, which is related to lsass.exe. This helps to search for indicators of LSASS memory dumping such as specific call traces to dbgcore.dll and dbghelp.dll. This detection is important because it prevents credential dumping attacks and the theft of sensitive information such as login credentials, which can be used to gain unauthorized access to systems and data. False positives might occur due to legitimate administrative tasks. Next steps include reviewing and investigating each case, given the high risk associated with potential credential dumping attacks. how_to_implement = This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} known_false_positives = Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual. providing_technologies = null @@ -4166,7 +4316,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a potential account discovery series of command used by several malware or attack to recon the target machine. This technique is also seen in some note worthy malware like trickbot where it runs a cmd process, or even drop its module that will execute the said series of net command. This series of command are good correlation search and indicator of attacker recon if seen in the machines within a none technical user or department (HR, finance, ceo and etc) network. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} known_false_positives = Admin or power user may used this series of command. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4176,7 +4326,7 @@ asset_type = Endpoint confidence = medium explanation = The primary objective of this correlation rule is to detect and alert on potential lateral movement activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Lateral Movement analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Lateral Movement analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization. how_to_implement = Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} known_false_positives = False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed. providing_technologies = null @@ -4186,7 +4336,7 @@ asset_type = Endpoint confidence = medium explanation = The primary objective of this correlation rule is to detect and alert on potential privilege escalation activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Privilege Escalation analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Privilege Escalation analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization. how_to_implement = Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1484"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484"], "nist": ["DE.AE"]} known_false_positives = False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed. providing_technologies = null @@ -4196,7 +4346,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a suspicious modification of the active setup registry for persistence and privilege escalation. This technique was seen in several malware (poisonIvy), adware and APT to gain persistence to the compromised machine upon boot up. This TTP is a good indicator to further check the process id that do the modification since modification of this registry is not commonly done. check the legitimacy of the file and process involve in this rules to check if it is a valid setup installer that creating or modifying this registry. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.014", "T1547"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.014", "T1547"], "nist": ["DE.CM"]} known_false_positives = Active setup installer may add or modify this registry. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4206,7 +4356,7 @@ asset_type = Endpoint confidence = medium explanation = this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4216,7 +4366,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic will identify a suspicious process command-line related to Windows Defender exclusion feature. This command is abused by adversaries, malware authors and red teams to bypass Windows Defender Antivirus products by excluding folder path, file path, process and extensions. From its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = Admin or user may choose to use this windows features. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4226,7 +4376,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain users for situational awareness and Active Directory Discovery. how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -4236,7 +4386,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious modification of firewall to allow file and printer sharing. This technique was seen in ransomware to be able to discover more machine connected to the compromised host to encrypt more files how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} known_false_positives = network admin may modify this firewall feature that may cause this rule to be triggered. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4246,7 +4396,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} known_false_positives = network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4256,7 +4406,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies suspicious PowerShell command to allow inbound traffic inbound to a specific local port within the public profile. This technique was seen in some attacker want to have a remote access to a machine by allowing the traffic in firewall rule. how_to_implement = To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} known_false_positives = administrator may allow inbound traffic in certain network or machine. providing_technologies = ["Microsoft Windows"] @@ -4266,7 +4416,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious modification to the firewall to allow network discovery on a machine. This technique was seen in couple of ransomware (revil, reddot) to discover other machine connected to the compromised host to encrypt more files. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} known_false_positives = network admin may modify this firewall feature that may cause this rule to be triggered. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4276,7 +4426,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies a potential privilege escalation attempt to perform malicious task. This registry modification is designed to allow the `Consent Admin` to perform an operation that requires elevation without consent or credentials. We also found this in some attacker to gain privilege escalation to the compromise machine. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4286,7 +4436,7 @@ asset_type = Endpoint confidence = medium explanation = The following detection identifies a 7z.exe spawned from `Rundll32.exe` or `Dllhost.exe`. It is assumed that the adversary has brought in `7z.exe` and `7z.dll`. It has been observed where an adversary will rename `7z.exe`. Additional coverage may be required to identify the behavior of renamed instances of `7z.exe`. During triage, identify the source of injection into `Rundll32.exe` or `Dllhost.exe`. Capture any files written to disk and analyze as needed. Review parallel processes for additional behaviors. Typically, archiving files will result in exfiltration. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} known_false_positives = False positives should be limited as this behavior is not normal for `rundll32.exe` or `dllhost.exe` to spawn and run 7zip. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4296,7 +4446,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of PowerShell downloading a file using `DownloadFile` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Command and Control"], "mitre_attack": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"]} known_false_positives = False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4306,7 +4456,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of PowerShell downloading a file using `DownloadString` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Command and Control"], "mitre_attack": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"]} known_false_positives = False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4316,7 +4466,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects the use of tools that are commonly exploited by cybercriminals since these tools are usually associated with malicious activities such as unauthorized access, network scanning, or data exfiltration and pose a significant threat to an organization's security infrastructure. It also provides enhanced visibility into potential security threats and helps to proactively detect and respond to mitigate the risks associated with cybercriminal activities. This detection is made by examining the process activity on the host, specifically focusing on processes that are known to be associated with attacker tool names. This detection is important because it acts as an early warning system for potential security incidents that allows you to respond to security incidents promptly. False positives might occur due to legitimate administrative activities that can resemble malicious actions. You must develop a comprehensive understanding of typical endpoint activities and behaviors within the organization to accurately interpret and respond to the alerts generated by this analytic. This ensures a proper balance between precision and minimizing false positives. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1036.005", "T1036", "T1003", "T1595"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Reconnaissance"], "mitre_attack": ["T1036.005", "T1036", "T1003", "T1595"], "nist": ["DE.CM"]} known_false_positives = Some administrator activity can be potentially triggered, please add those users to the filter macro. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4326,7 +4476,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects whether a process is attempting to add a certificate to the untrusted certificate store, which might result in security tools being disabled. The detection is made by focusing on process activities and command-line arguments that are related to the 'certutil -addstore' command. This detection is important because it helps to identify attackers who might add a certificate to the untrusted certificate store to disable security tools and gain unauthorized access to a system. False positives might occur since legitimate reasons might exist for a process to add a certificate to the untrusted certificate store, such as system administration tasks. Next steps include conducting an extensive triage and investigation prior to taking any action. Additionally, you must understand the importance of trust and its subversion in system security. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1553.004", "T1553"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.004", "T1553"], "nist": ["DE.CM"]} known_false_positives = There may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. In such cases, this will typically be done on a large number of systems. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4336,7 +4486,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects attempts to stop security-related services on the endpoint and helps to mitigate potential threats earlier, thereby minimizing the impact on the organization's security. The detection is made by using a Splunk query that searches for processes that involve the "sc.exe" command and include the phrase "stop" in their command. The query collects information such as the process name, process ID, parent process, user, destination, and timestamps. The detection is important because attempts to stop security-related services can indicate malicious activity or an attacker's attempt to disable security measures. This can impact the organization's security posture and can lead to the compromise of the endpoint and potentially the entire network. Disabling security services can allow attackers to gain unauthorized access, exfiltrate sensitive data, or launch further attacks, such as malware installation or privilege escalation. False positives might occur since there might be legitimate reasons for stopping these services in certain situations. Therefore, you must exercise caution and consider the context of the activity before taking any action. Next steps include reviewing the identified process and its associated details. You must also investigate any on-disk artifacts related to the process and review concurrent processes to determine the source of the attack. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = None identified. Attempts to disable security-related services should be identified and understood. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4346,7 +4496,7 @@ asset_type = Endpoint confidence = medium explanation = Monitor for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} known_false_positives = None identified. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4356,7 +4506,7 @@ asset_type = Endpoint confidence = medium explanation = this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4366,7 +4516,7 @@ asset_type = Endpoint confidence = medium explanation = The search looks for a batch file (.bat) written to the Windows system directory tree. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"]} known_false_positives = It is possible for this search to generate a notable event for a batch file write to a path that includes the string "system32", but is not the actual Windows system directory. As such, you should confirm the path of the batch file identified by the search. In addition, a false positive may be generated by an administrator copying a legitimate batch file in this directory tree. You should confirm that the activity is legitimate and modify the search to add exclusions, as necessary. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4376,7 +4526,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious bcdedit commandline to configure the host from safe mode back to normal boot configuration. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4386,7 +4536,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for flags passed to bcdedit.exe modifications to the built-in Windows error recovery boot configurations. This is typically used by ransomware to prevent recovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} known_false_positives = Administrators may modify the boot configuration. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4396,7 +4546,7 @@ asset_type = Endpoint confidence = medium explanation = The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint. The query identifies the parameters used to create, resume or add a file to a BITS job. Typically seen combined in a oneliner or ran in sequence. If identified, review the BITS job created and capture any files written to disk. It is possible for BITS to be used to upload files and this may require further network data analysis to identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1197"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1197"], "nist": ["DE.CM"]} known_false_positives = Limited false positives will be present. Typically, applications will use `BitsAdmin.exe`. Any filtering should be done based on command-line arguments (legitimate applications) or parent process. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4406,7 +4556,7 @@ asset_type = Endpoint confidence = medium explanation = The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote object. In addition, look for `download` or `upload` on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from `bitsadmin.exe`, but the artifacts will appear in a parallel process of `svchost.exe` with a command-line similar to `svchost.exe -k netsvcs -s BITS`. It's important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1197", "T1105"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation", "Command and Control"], "mitre_attack": ["T1197", "T1105"], "nist": ["DE.CM"]} known_false_positives = Limited false positives, however it may be required to filter based on parent process name or network connection. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4416,7 +4566,7 @@ asset_type = Endpoint confidence = medium explanation = Certutil.exe may download a file from a remote destination using `-urlcache`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. However, it is uncommon for `certutil.exe` to write files to world writeable paths.\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} known_false_positives = Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4426,7 +4576,7 @@ asset_type = Endpoint confidence = medium explanation = Certutil.exe may download a file from a remote destination using `-VerifyCtl`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. \ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using `-VerifyCtl`, the file will either be written to the current working directory or `%APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\`. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} known_false_positives = Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4446,7 +4596,7 @@ asset_type = Endpoint confidence = medium explanation = CertUtil.exe may be used to `encode` and `decode` a file, including PE and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` tags. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - `encodehex` and `decodehex`. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1140"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1140"], "nist": ["DE.CM"]} known_false_positives = Typically seen used to `encode` files, but it is possible to see legitimate use of `decode`. Filter based on parent-child relationship, file paths, endpoint or user. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4456,7 +4606,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is developed to detect suspicious registry modification to change the default file association of windows to malicious payload. This technique was seen in some APT where it modify the default process to run file association, like .txt to notepad.exe. Instead notepad.exe it will point to a Script or other payload that will load malicious commands to the compromised host. how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.001", "T1546"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.001", "T1546"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4466,7 +4616,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious bcdedit commandline to configure the host to boot in safe mode with network config. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4476,7 +4626,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect execution of chcp.exe application. this utility is used to change the active code page of the console. This technique was seen in icedid malware to know the locale region/language/country of the compromise host. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} known_false_positives = other tools or script may used this to change code page to UTF-* or others providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4486,7 +4636,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious whoami execution to check if the cmd or shell instance process is with elevated privileges. This technique was seen in FIN7 js implant where it execute this as part of its data collection to the infected machine to check if the running shell cmd process is elevated or not. This TTP is really a good alert for known attacker that recon on the targetted host. This command is not so commonly executed by a normal user or even an admin to check if a process is elevated. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1033"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4496,7 +4646,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for child processes of spoolsv.exe. This activity is associated with a POC privilege-escalation exploit associated with CVE-2018-8440. Spoolsv.exe is the process associated with the Print Spooler service in Windows and typically runs as SYSTEM. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} known_false_positives = Some legitimate printer-related processes may show up as children of spoolsv.exe. You should confirm that any activity as legitimate and may be added as exclusions in the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4506,7 +4656,7 @@ asset_type = Endpoint confidence = medium explanation = this search is to detect execution of `cipher.exe` to clear the unallocated sectors of a specific disk. This technique was seen in some ransomware to make it impossible to forensically recover deleted files. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.CM"]} known_false_positives = administrator may execute this app to manage disk providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4516,7 +4666,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytics are designed to identifies some CLOP ransomware variant that using arguments to execute its main code or feature of its code. In this variant if the parameter is "runrun", CLOP ransomware will try to encrypt files in network shares and if it is "temp.dat", it will try to read from some stream pipe or file start encrypting files within the infected local machines. This technique can be also identified as an anti-sandbox technique to make its code non-responsive since it is waiting for some parameter to execute properly. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} known_false_positives = Operators can execute third party tools using these parameters. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4526,7 +4676,7 @@ asset_type = Endpoint confidence = medium explanation = This detection is to identify the common service name created by the CLOP ransomware as part of its persistence and high privilege code execution in the infected machine. Ussually CLOP ransomware use StartServiceCtrlDispatcherW API in creating this service entry. how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -4536,7 +4686,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.AE"]} known_false_positives = False positives may be high based on legitimate scripted code in any environment. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4546,7 +4696,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via `jump` (Cobalt Strike PTH) or `getsystem`, using named-pipe impersonation. A suspicious event will look like `cmd.exe /c echo 4sgryt3436 > \\.\Pipe\5erg53`. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.003", "T1543.003", "T1543"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1059", "T1059.003", "T1543.003", "T1543"], "nist": ["DE.CM"]} known_false_positives = Unknown. It is possible filtering may be required to ensure fidelity. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4556,7 +4706,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.CM"]} known_false_positives = A network operator or systems administrator may utilize an automated host discovery application that may generate false positives. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4566,7 +4716,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects a potential process using COM Object like CMLUA or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative privileges to its running process. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} known_false_positives = Legitimate windows application that are not on the list loading this dll. Filter as needed. providing_technologies = null @@ -4577,7 +4727,7 @@ confidence = medium explanation = The following analytic identifies the use of default or publicly known named pipes used with Cobalt Strike. A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. Cobalt Strike uses named pipes in many ways and has default values used with the Artifact Kit and Malleable C2 Profiles. The following query assists with identifying these default named pipes. Each EDR product presents named pipes a little different. Consider taking the values and generating a query based on the product of choice. \ Upon triage, review the process performing the named pipe. If it is explorer.exe, It is possible it was injected into by another process. Review recent parallel processes to identify suspicious patterns or behaviors. A parallel process may have a network connection, review and follow the connection back to identify any file modifications. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} known_false_positives = The idea of using named pipes with Cobalt Strike is to blend in. Therefore, some of the named pipes identified and added may cause false positives. Filter by process name or pipe name to reduce false positives. providing_technologies = null @@ -4587,7 +4737,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects Searches for file modifications that commonly occur with Ransomware to detect modifications to files with extensions that are commonly used by Ransomware. The detection is made by searches for changes in the datamodel=Endpoint.Filesystem, specifically modifications to file extensions that match those commonly used by Ransomware. The detection is important because it suggests that an attacker is attempting to encrypt or otherwise modify files in the environment using malware, potentially leading to data loss that can cause significant damage to an organization's data and systems. False positives might occur so the SOC must investigate the affected system to determine the source of the modification and take appropriate action to contain and remediate the attack. how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data model node. To see the additional metadata, add the following fields, if not already present, please review the detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} known_false_positives = It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4597,7 +4747,7 @@ asset_type = Endpoint confidence = medium explanation = The search looks for files created with names matching those typically used in ransomware notes that tell the victim how to get their data back. how_to_implement = You must be ingesting data that records file-system activity from your hosts to populate the Endpoint Filesystem data-model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} known_false_positives = It's possible that a legitimate file could be created with the same name used by ransomware note files. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4607,7 +4757,7 @@ asset_type = Endpoint confidence = medium explanation = This search detects the suspicious commandline argument of revil ransomware to encrypt specific or all local drive and network shares of the compromised machine or host. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} known_false_positives = 3rd party tool may have commandline parameter that can trigger this detection. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4617,7 +4767,7 @@ asset_type = Endpoint confidence = medium explanation = The following detection identifies control.exe loading either a .cpl or .inf from a writable directory. This is related to CVE-2021-40444. During triage, review parallel processes, parent and child, for further suspicious behaviors. In addition, capture file modifications and analyze. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.002"], "nist": ["DE.CM"]} known_false_positives = Limited false positives will be present as control.exe does not natively load from writable paths as defined. One may add .cpl or .inf to the command-line if there is any false positives. Tune as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4627,7 +4777,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects the creation of local administrator accounts using the net.exe command to mitigate the risks associated with unauthorized access and prevent further damage to the environment by responding to potential threats earlier and taking appropriate actions to protect the organization's systems and data. This detection is made by a Splunk query to search for processes with the name net.exe or net1.exe that include the "/add" parameter and have specific keywords related to administrator accounts in their process name. This detection is important because the creation of unauthorized local administrator accounts might indicate that an attacker has successfully created a new administrator account and is trying to gain persistent access to a system or escalate their privileges for data theft, or other malicious activities. False positives might occur since there might be legitimate uses of the net.exe command and the creation of administrator accounts in certain circumstances. You must consider the context of the activity and other indicators of compromise before taking any action. For next steps, review the details of the identified process, including the user, parent process, and parent process name. Examine any relevant on-disk artifacts and look for concurrent processes to determine the source of the attack. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} known_false_positives = Administrators often leverage net.exe to create admin accounts. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4637,7 +4787,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects the creation or deletion of hidden shares using the net.exe command for prompt response and mitigation to enhance the overall security posture of the organization and protect against potential data breaches, malware infections, and other damaging outcomes. This detection is made by searching for processes that involve the use of net.exe and filters for actions related to creation or deletion of shares. This detection is important because it suggests that an attacker is attempting to manipulate or exploit the network by creating or deleting hidden shares. The creation or deletion of hidden shares can indicate malicious activity since attackers might use hidden shares to exfiltrate data, distribute malware, or establish persistence within a network. The impact of such an attack can vary, but it often involves unauthorized access to sensitive information, disruption of services, or the introduction of malware. False positives might occur since legitimate actions can also involve the use of net.exe. An extensive triage and investigation is necessary to determine the intent and nature of the detected activity. Next steps include reviewing the details of the process involving the net.exe command, including the user, parent process, and timestamps during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1070", "T1070.005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.005"], "nist": ["DE.CM"]} known_false_positives = Administrators often leverage net.exe to create or delete network shares. You should verify that the activity was intentional and is legitimate. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4647,7 +4797,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect suspicious process injection in command shell. This technique was seen in IcedID where it execute cmd.exe process to inject its shellcode as part of its execution as banking trojan. It is really uncommon to have a create remote thread execution in the following application. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -4657,7 +4807,7 @@ asset_type = Windows confidence = medium explanation = The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS), which is a common tactic used by adversaries to steal user authentication credentials, known as credential dumping. The detection is made by leveraging Sysmon Event ID 8 logs and searches for processes that create remote threads in lsass.exe. This is an unusual activity that is generally linked to credential theft or credential dumping, which is a significant threat to network security. The detection is important because it helps to detect potential credential dumping attacks, which can result in significant damage to an organization's security. False positives might occur though the confidence level of this alert is high. There might be cases where legitimate tools can access LSASS and generate similar logs. Therefore, you must understand the broader context of such events and differentiate between legitimate activities and possible threats. how_to_implement = This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} known_false_positives = Other tools can access LSASS for legitimate reasons and generate an event. In these cases, tweaking the search may help eliminate noise. providing_technologies = null @@ -4667,7 +4817,7 @@ asset_type = Windows confidence = medium explanation = Detect the hands on keyboard behavior of Windows Task Manager creating a process dump of lsass.exe. Upon this behavior occurring, a file write/modification will occur in the users profile under \AppData\Local\Temp. The dump file, lsass.dmp, cannot be renamed, however if the dump occurs more than once, it will be named lsass (2).dmp. how_to_implement = This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 11 for detecting file create of lsass.dmp. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} known_false_positives = Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual. providing_technologies = null @@ -4677,7 +4827,7 @@ asset_type = Endpoint confidence = medium explanation = Monitor for signs that Vssadmin or Wmic has been used to create a shadow copy. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} known_false_positives = Legitimate administrator usage of Vssadmin or Wmic will create false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4687,7 +4837,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects the use of two specific tools, wmic and Powershell, to create a shadow copy to identify potential threats earlier and take appropriate actions to mitigate the risks. This detection is made by a Splunk query that searches for processes in the Endpoint.Processes data model where either the process name contains "wmic" or "Powershell" and the process command contains "shadowcopy" and "create". This detection is important because it suggests that an attacker is attempting to manipulate or access data in an unauthorized manner, which can lead to data theft, data manipulation, or other malicious activities. Attackers might use shadow copies to backup and exfiltrate sensitive data or to hide their tracks by restoring files to a previous state after an attack. Next steps include reviewing the user associated with the process, the process name, the original file name, the process command, and the destination of the process. Additionally, examine any relevant on-disk artifacts and review other concurrent processes to determine the source of the attack. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} known_false_positives = Legtimate administrator usage of wmic to create a shadow copy. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4697,7 +4847,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects the use of the copy command to dump credentials from a shadow copy so that you can detect potential threats earlier and mitigate the risks associated with credential dumping. The detection is made by using a Splunk query to search for specific processes that indicate credential dumping activity. The query looks for processes with command lines that include references to certain files, such as "sam", "security", "system", and "ntds.dit", located in system directories like "system32" or "windows". The detection is important because it suggests that an attacker is attempting to extract credentials from a shadow copy. Credential dumping is a common technique used by attackers to obtain sensitive login information and gain unauthorized access to systems to escalate privileges, move laterally within the network, or gain unauthorized access to sensitive data. False positives might occur since legitimate processes might also reference these files. During triage, it is crucial to review the process details, including the source and the command that is run. Additionally, you must capture and analyze any relevant on-disk artifacts and investigate concurrent processes to determine the source of the attack how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4707,7 +4857,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects the creation of a symlink to a shadow copy to identify potential threats earlier and mitigate the risks associated with symlink creation to shadow copies. The detection is made by using a Splunk query that searches for processes with commands containing "mklink" and "HarddiskVolumeShadowCopy". This analytic retrieves information such as the destination, user, process name, process ID, parent process, original file name, and parent process ID from the Endpoint.Processes data model. The detection is important because it indicates potential malicious activity since attackers might use this technique to manipulate or delete shadow copies, which are used for system backup and recovery. This detection helps to determine if an attacker is attempting to cover their tracks or prevent data recovery in the event of an incident. The impact of such an attack can be significant since it can hinder incident response efforts, prevent data restoration, and potentially lead to data loss or compromise. Next steps include reviewing the details of the process, such as the destination and the user responsible for creating the symlink. Additionally, you must examine the parent process, any relevant on-disk artifacts, and concurrent processes to identify the source of the attack. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4717,7 +4867,7 @@ asset_type = Endpoint confidence = medium explanation = this analytic is to detect a suspicious compile before delivery approach of .net compiler csc.exe. This technique was seen in several adversaries, malware and even in red teams to take advantage the csc.exe .net compiler tool to compile on the fly a malicious .net code to evade detection from security product. This is a good hunting query to check further the file or process created after this event and check the file path that passed to csc.exe which is the .net code. Aside from that, powershell is capable of using this compiler in executing .net code in a powershell script so filter on that case is needed. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1027.004", "T1027"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027.004", "T1027"], "nist": ["DE.AE"]} known_false_positives = A network operator or systems administrator may utilize an automated powershell script taht execute .net code that may generate false positive. filter is needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4727,7 +4877,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of curl on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited, however filtering may be required. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4737,7 +4887,7 @@ asset_type = Endpoint confidence = medium explanation = This following analytic detects PowerShell command to delete shadow copy using the WMIC PowerShell module. This technique was seen used by a recent adversary to deploy DarkSide Ransomware where it executed a child process of PowerShell to execute a hex encoded command to delete shadow copy. This hex encoded command was able to be decrypted by PowerShell log. how_to_implement = To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Microsoft Windows"] @@ -4747,7 +4897,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic will detect a suspicious net.exe/net1.exe command-line to delete a user on a system. This technique may be use by an administrator for legitimate purposes, however this behavior has been used in the wild to impair some user or deleting adversaries tracks created during its lateral movement additional systems. During triage, review parallel processes for additional behavior. Identify any other user accounts created before or after. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1531"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.CM"]} known_false_positives = System administrators or scripts may delete user accounts via this technique. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4757,7 +4907,7 @@ asset_type = Endpoint confidence = medium explanation = The vssadmin.exe utility is used to interact with the Volume Shadow Copy Service. Wmic is an interface to the Windows Management Instrumentation. This search looks for either of these tools being used to delete shadow copies. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} known_false_positives = vssadmin.exe and wmic.exe are standard applications shipped with modern versions of windows. They may be used by administrators to legitimately delete old backup copies, although this is typically rare. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4767,7 +4917,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the common command-line argument used by AzureHound `Invoke-AzureHound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} known_false_positives = Unknown. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4777,7 +4927,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic is similar to SharpHound file modifications, but this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound equivilent but for Azure. It's possible this may never be seen in an environment as most attackers may execute this tool remotely. Once execution is complete, a zip file with a similar name will drop `20210601090751-azurecollection.zip`. In addition to the zip, multiple .json files will be written to disk, which are in the zip. how_to_implement = To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4787,7 +4937,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects a specific type of vulnerability known as a heap-based buffer overflow in the sudoedit command, commonly referred to as Baron Samedit CVE-2021-3156. The detection is made by a Splunk query that searches for instances of the sudoedit command with the "-s" flag followed by a double quote. This combination of parameters is indicative of the vulnerability being exploited. The detection is important because it suggests that an attacker is attempting to exploit the Baron Samedit vulnerability. The Baron Samedit vulnerability allows an attacker to gain elevated privileges on a Linux system and run arbitrary code with root privileges, potentially leading to complete control over the affected system. The impact of a successful attack can be severe since it allows the attacker to bypass security measures and gain unauthorized access to sensitive data or systems. This can result in data breaches, unauthorized modifications, or even complete system compromise. Next steps include being aware of this vulnerability and actively monitoring any attempts to exploit it. By detecting and responding to such attacks in a timely manner, you can prevent or minimize the potential damage caused by the heap-based buffer overflow of sudoedit. how_to_implement = Splunk Universal Forwarder running on Linux systems, capturing logs from the /var/log directory. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -4797,7 +4947,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects the occurrence of a heap-based buffer overflow in sudoedit.The detection is made by using a Splunk query to identify Linux hosts where the terms "sudoedit" and "segfault" appear in the logs. The detection is important because the heap-based buffer overflow vulnerability in sudoedit can be exploited by attackers to gain elevated root privileges on a vulnerable system, which might lead to the compromise of sensitive data, unauthorized access, and other malicious activities. False positives might occur. Therefore, you must review the logs and investigate further before taking any action. how_to_implement = Splunk Universal Forwarder running on Linux systems (tested on Centos and Ubuntu), where segfaults are being logged. This also captures instances where the exploit has been compiled into a binary. The detection looks for greater than 5 instances of sudoedit combined with segfault over your search time period on a single host -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} known_false_positives = If sudoedit is throwing segfaults for other reasons this will pick those up too. providing_technologies = null @@ -4807,7 +4957,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects the heap-based buffer overflow for the sudoedit command and identifies instances where the command "sudoedit -s *" is run using the osquery_process data source. This indicates that the sudoedit command is used with the "-s" flag, which is associated with the heap-based buffer overflow vulnerability. The detection is important because it indicates a potential security vulnerability, specifically Baron Samedit CVE-2021-3156, which helps to identify and respond to potential heap-based buffer overflow attacks to enhance the security posture of the organization. This vulnerability allows an attacker to escalate privileges and potentially gain unauthorized access to the system. If the attack is successful, the attacker can gain full control of the system, run arbitrary code, or access sensitive data. Such attacks can lead to data breaches, unauthorized access, and potential disruption of critical systems. False positives might occur since the legitimate use of the sudoedit command with the "-s" flag can also trigger this detection. You must carefully review and validate the findings before taking any action. Next steps include investigating all true positive detections promptly, reviewing the associated processes, gather relevant artifacts, identifying the source of the attack to contain the threat, mitigate the risks, and prevent further damage to the environment. how_to_implement = OSQuery installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -4817,7 +4967,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies when the attacker tool Certify or Certipy are used to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments of these tools are similar and perform near identical enumeration or exploitation functions. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1649", "T1105"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Command and Control"], "mitre_attack": ["T1649", "T1105"], "nist": ["DE.CM"]} known_false_positives = Unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4827,7 +4977,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies when the attacker tool Certify is used through an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments for the binary version of this tools are similar to PowerShell calls and perform near identical enumeration or exploitation functions. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1649", "T1059", "T1059.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1649", "T1059", "T1059.001"], "nist": ["DE.CM"]} known_false_positives = Unknown, partial script block matches. providing_technologies = ["Microsoft Windows"] @@ -4837,7 +4987,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies when the attacker tool Certipy is used to enumerate Active Directory Certificate Services (AD CS) environments. The default behavior of this toolkit drops a number of file uniquely named files or file extensions related to it's information gathering and exfiltration process. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints as well as file creation or deletion events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1649", "T1560"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649", "T1560"], "nist": ["DE.CM"]} known_false_positives = Unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4847,7 +4997,7 @@ asset_type = Windows confidence = medium explanation = This search looks for Event Code 4742 (Computer Change) or EventCode 4624 (An account was successfully logged on) with an anonymous account. how_to_implement = This search requires audit computer account management to be enabled on the system in order to generate Event ID 4742. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} known_false_positives = None thus far found providing_technologies = ["Microsoft Windows"] @@ -4859,7 +5009,7 @@ explanation = The following analytic utilizes PowerShell Script Block Logging (E This analytic identifies `copy` or `[System.IO.File]::Copy` being used to capture the SAM, SYSTEM or SECURITY hives identified in script block. This will catch the most basic use cases for credentials being taken for offline cracking. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} known_false_positives = Limited false positives as the scope is limited to SAM, SYSTEM and SECURITY hives. providing_technologies = ["Microsoft Windows"] @@ -4869,7 +5019,7 @@ asset_type = Windows confidence = medium explanation = The following analytic detects the reading of lsass memory, which is consistent with credential dumping. Reading lsass memory is a common technique used by attackers to steal credentials from the Windows operating system. The detection is made by monitoring the sysmon events and filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process helps identify potential instances of credential dumping.The detection is important because it suggests that an attacker is attempting to extract credentials from the lsass memory, which can lead to unauthorized access, data breaches, and compromise of sensitive information. Credential dumping is often a precursor to further attacks, such as lateral movement, privilege escalation, or data exfiltration. False positives can occur due to legitimate actions that involve accessing lsass memory. Therefore, extensive triage and investigation are necessary to differentiate between malicious and benign activities. how_to_implement = This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} known_false_positives = The activity may be legitimate. Other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise. providing_technologies = null @@ -4881,7 +5031,7 @@ explanation = The following analytic utilizes PowerShell Script Block Logging (E This analytic identifies the common PowerShell stager used by PowerShell-Empire. Each stager that may use PowerShell all uses the same pattern. The initial HTTP will be base64 encoded and use `system.net.webclient`. Note that some obfuscation may evade the analytic. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} known_false_positives = False positives may only pertain to it not being related to Empire, but another framework. Filter as needed if any applications use the same pattern. providing_technologies = ["Microsoft Windows"] @@ -4895,7 +5045,7 @@ how_to_implement = You must ingest your Windows security event logs in the `Chan If Splunk>Phantom is also configured in your environment, a Playbook called "Excessive Account Lockouts Enrichment and Response" can be configured to run when any results are found by this detection search. The Playbook executes the Contextual and Investigative searches in this Story, conducts additional information gathering on Windows endpoints, and takes a response action to shut down the affected endpoint. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \ (Playbook Link:`https://my.phantom.us/4.1/playbook/excessive-account-lockouts-enrichment-and-response/`).\ -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"]} known_false_positives = It's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts. providing_technologies = null @@ -4905,7 +5055,7 @@ asset_type = Windows confidence = medium explanation = This search detects user accounts that have been locked out a relatively high number of times in a short period. how_to_implement = ou must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.003"], "nist": ["DE.AE"]} known_false_positives = It is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts. providing_technologies = null @@ -4915,7 +5065,7 @@ asset_type = Endpoint confidence = medium explanation = The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4925,7 +5075,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a renamed instance of hh.exe (HTML Help) executing a Compiled HTML Help (CHM). This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Validate it is the legitimate version of hh.exe by reviewing the PE metadata. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.AE"]} known_false_positives = Although unlikely a renamed instance of hh.exe will be used legitimately, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4935,7 +5085,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, some legitimate applications (ex. web browsers) may spawn a child process. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4945,7 +5095,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file from a remote url. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review reputation of remote IP and domain. Some instances, it is worth decompiling the .chm file to review its original contents. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, some legitimate applications may retrieve a CHM remotely, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4955,7 +5105,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} known_false_positives = It is rare to see instances of InfoTech Storage Handlers being used, but it does happen in some legitimate instances. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4967,7 +5117,7 @@ explanation = The following analytic utilizes PowerShell Script Block Logging (E This analytic identifies common Mimikatz functions that may be identified in the script block, including `mimikatz`. This will catch the most basic use cases for Pass the Ticket, Pass the Hash and `-DumprCreds`. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003", "T1059.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1003", "T1059.001"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited as the commands being identifies are quite specific to EventCode 4104 and Mimikatz. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -4977,7 +5127,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies "mshta.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "mshta.exe" and its parent process. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4987,7 +5137,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies renamed instances of mshta.exe executing. Mshta.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. This analytic utilizes the internal name of the PE to identify if is the legitimate mshta binary. Further analysis should be performed to review the executed content and validation it is the real mshta. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.AE"]} known_false_positives = Although unlikely, some legitimate applications may use a moved copy of mshta.exe, but never renamed, triggering a false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4997,7 +5147,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} known_false_positives = It is possible legitimate applications may perform this behavior and will need to be filtered. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5007,7 +5157,7 @@ asset_type = Windows confidence = medium explanation = The following analytic detects the creation of new accounts that have been elevated to local administrators so that you can take immediate action to mitigate the risks and prevent further unauthorized access or malicious activities. This detection is made by using the Splunk query `wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) to search for relevant security events in the Windows event log. When a new account is created or an existing account is added to the Administrators group, this analytic identifies this behavior by looking for EventCode 4720 (A user account was created) or EventCode 4732 (A member was added to a security-enabled global group). This analytic specifically focuses on events where the Group_Name is set to Administrators. This detection is important because it suggests that an attacker has gained elevated privileges and can perform malicious actions with administrative access. This can lead to significant impact, such as unauthorized access to sensitive data, unauthorized modifications to systems or configurations, and potential disruption of critical services. identifying this behavior is crucial for a Security Operations Center (SOC). Next steps include reviewing the details of the security event, including the user account that was created or added to the Administrators group. Also, examine the time span between the first and last occurrence of the event to determine if the behavior is ongoing. Additionally, consider any contextual information, such as the destination where the account was created or added to understand the scope and potential impact of the attack. how_to_implement = You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} known_false_positives = The activity may be legitimate. For this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not "Administrators", this search may generate an excessive number of false positives providing_technologies = ["Microsoft Windows"] @@ -5017,7 +5167,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for execution of process `outlook.exe` where the process is writing a `.zip` file to the disk. how_to_implement = You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} known_false_positives = It is not uncommon for outlook to write legitimate zip files to the disk. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5027,7 +5177,7 @@ asset_type = Endpoint confidence = medium explanation = The detection Detect Path Interception By Creation Of program exe is detecting the abuse of unquoted service paths, which is a popular technique for privilege escalation. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1574.009", "T1574"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.009", "T1574"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5037,7 +5187,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for fast execution of processes used for system network configuration discovery on the endpoint. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1016"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016"], "nist": ["DE.CM"]} known_false_positives = It is uncommon for normal users to execute a series of commands used for network discovery. System administrators often use scripts to execute these commands. These can generate false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5047,7 +5197,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.AE"]} known_false_positives = There are circumstances where an application may legitimately execute and interact with the Windows command-line interface. Investigate and modify the lookup file, as appropriate. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5057,7 +5207,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for events where `PsExec.exe` is run with the `accepteula` flag in the command line. PsExec is a built-in Windows utility that enables you to execute processes on other systems. It is fully interactive for console applications. This tool is widely used for launching interactive command prompts on remote systems. Threat actors leverage this extensively for executing code on compromised systems. If an attacker is running PsExec for the first time, they will be prompted to accept the end-user license agreement (EULA), which can be passed as the argument `accepteula` within the command line. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"]} known_false_positives = Administrators can leverage PsExec for accessing remote systems and might pass `accepteula` as an argument if they are running this tool for the first time. However, it is not likely that you'd see multiple occurrences of this event on a machine providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5077,7 +5227,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies commonly used command-line arguments used by `rclone.exe` to initiate a file transfer. Some arguments were negated as they are specific to the configuration used by adversaries. In particular, an adversary may list the files or directories of the remote file share using `ls` or `lsd`, which is not indicative of malicious behavior. During triage, at this stage of a ransomware event, exfiltration is about to occur or has already. Isolate the endpoint and continue investigating by review file modifications and parallel processes. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1020"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1020"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited as this is restricted to the Rclone process name. Filter or tune the analytic as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5087,7 +5237,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies regasm.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5097,7 +5247,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies regasm.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, limited instances of regasm.exe with a network connection may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. providing_technologies = null @@ -5107,7 +5257,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies regasm.exe with no command line arguments. This particular behavior occurs when another process injects into regasm.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in `C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe` and `C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe`. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, limited instances of regasm.exe or may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5117,7 +5267,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies regsvcs.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5127,7 +5277,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies Regsvcs.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. providing_technologies = null @@ -5137,7 +5287,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies regsvcs.exe with no command line arguments. This particular behavior occurs when another process injects into regsvcs.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5148,7 +5298,7 @@ confidence = medium explanation = Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.This variation of the technique is often referred to as a "Squiblydoo" attack. \ Upon investigating, look for network connections to remote destinations (internal or external). Be cautious to modify the query to look for "scrobj.dll", the ".dll" is not required to load scrobj. "scrobj.dll" will be loaded by "regsvr32.exe" upon execution. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"]} known_false_positives = Limited false positives related to third party software registering .DLL's. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5158,7 +5308,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies renamed 7-Zip usage using Sysmon. At this stage of an attack, review parallel processes and file modifications for data that is staged or potentially have been exfiltrated. This analytic utilizes the OriginalFileName to capture the renamed process. During triage, validate this is the legitimate version of `7zip` by reviewing the PE metadata. In addition, review parallel processes for further suspicious behavior. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} known_false_positives = Limited false positives, however this analytic will need to be modified for each environment if Sysmon is not used. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5168,7 +5318,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies renamed instances of `PsExec.exe` being utilized on an endpoint. Most instances, it is highly probable to capture `Psexec.exe` or other SysInternal utility usage with the command-line argument of `-accepteula`. During triage, validate this is the legitimate version of `PsExec` by reviewing the PE metadata. In addition, review parallel processes for further suspicious behavior. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} known_false_positives = Limited false positives should be present. It is possible some third party applications may use older versions of PsExec, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5178,7 +5328,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the usage of `rclone.exe`, renamed, being used to exfiltrate data to a remote destination. RClone has been used by multiple ransomware groups to exfiltrate data. In many instances, it will be downloaded from the legitimate site and executed accordingly. During triage, isolate the endpoint and begin to review parallel processes for additional behavior. At this stage, the adversary may have staged data to be exfiltrated. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1020"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1020"], "nist": ["DE.AE"]} known_false_positives = False positives should be limited as this analytic identifies renamed instances of `rclone.exe`. Filter as needed if there is a legitimate business use case. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5188,7 +5338,7 @@ asset_type = Endpoint confidence = medium explanation = The following analtyic identifies renamed instances of `WinRAR.exe`. In most cases, it is not common for WinRAR to be used renamed, however it is common to be installed by a third party application and executed from a non-standard path. During triage, validate additional metadata from the binary that this is `WinRAR`. Review parallel processes and file modifications. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} known_false_positives = Unknown. It is possible third party applications use renamed instances of WinRAR. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5198,7 +5348,7 @@ asset_type = Endpoint confidence = medium explanation = This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. how_to_implement = To successfully implement this search you need to be ingesting information on process that includes the full command line of the process being launched on your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1036.002", "T1036"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.002", "T1036"], "nist": ["DE.CM"]} known_false_positives = Implementation in regions that use right to left in native language. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5208,7 +5358,7 @@ asset_type = Endpoint confidence = medium explanation = This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1036.002", "T1036"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.002", "T1036"], "nist": ["DE.CM"]} known_false_positives = Implementation in regions that use right to left in native language. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5218,7 +5368,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies rundll32.exe loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, some legitimate applications may use advpack.dll or ieadvpack.dll, triggering a false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5228,7 +5378,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies rundll32.exe loading setupapi.dll and iesetupapi.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, some legitimate applications may use setupapi triggering a false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5238,7 +5388,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies rundll32.exe loading syssetup.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, some legitimate applications may use syssetup.dll, triggering a false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5248,7 +5398,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies "rundll32.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. This type of behavior is commonly observed with fileless malware or application whitelisting bypass techniques. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5258,7 +5408,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies common command-line arguments used by SharpHound `-collectionMethod` and `invoke-bloodhound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited as the arguments used are specific to SharpHound. Filter as needed or add more command-line arguments as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5268,7 +5418,7 @@ asset_type = Endpoint confidence = medium explanation = SharpHound is used as a reconnaissance collector, ingestor, for BloodHound. SharpHound will query the domain controller and begin gathering all the data related to the domain and trusts. For output, it will drop a .zip file upon completion following a typical pattern that is often not changed. This analytic focuses on the default file name scheme. Note that this may be evaded with different parameters within SharpHound, but that depends on the operator. `-randomizefilenames` and `-encryptzip` are two examples. In addition, executing SharpHound via .exe or .ps1 without any command-line arguments will still perform activity and dump output to the default filename. Example default filename `20210601181553_BloodHound.zip`. SharpHound creates multiple temp files following the same pattern `20210601182121_computers.json`, `domains.json`, `gpos.json`, `ous.json` and `users.json`. Tuning may be required, or remove these json's entirely if it is too noisy. During traige, review parallel processes for further suspicious behavior. Typically, the process executing the `.ps1` ingestor will be PowerShell. how_to_implement = To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5278,7 +5428,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies SharpHound binary usage by using the original filena,e. In addition to renaming the PE, other coverage is available to detect command-line arguments. This particular analytic looks for the original_file_name of `SharpHound.exe` and the process name. It is possible older instances of SharpHound.exe have different original filenames. Dependent upon the operator, the code may be re-compiled and the attributes removed or changed to anything else. During triage, review the metadata of the binary in question. Review parallel processes for suspicious behavior. Identify the source of this binary. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited as this is specific to a file attribute not used by anything else. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5288,7 +5438,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic uses a pre-trained Deep Learning model to predict whether a processname is suspicious or not. Malwares and malicious programs such as ransomware often use tactics, techniques, and procedures (TTPs) such as copying malicious files to the local machine to propagate themselves across the network. A key indicator of compromise is that after a successful execution of the malware, it copies itself as an executable file with a randomly generated filename and places this file in one of the directories. Such techniques are seen in several malwares such as TrickBot. We develop machine learning model that uses a Recurrent Neural Network (RNN) to distinguish between malicious and benign processnames. The model is trained independently and is then made available for download. We use a character level RNN to classify malicious vs. benign processnames. The higher is_malicious_prob, the more likely is the processname to be suspicious (between [0,1]). The threshold for flagging a processname as suspicious is set as 0.5. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} known_false_positives = False positives may be present if a suspicious processname is similar to a benign processname. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5298,8 +5448,8 @@ asset_type = Endpoint confidence = medium explanation = This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. The search will return the count, the first and last time this execution was seen on a machine, the user, and the destination of the machine how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.CM"]} -known_false_positives = Some legitimate applications may exhibit this behavior. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.CM"]} +known_false_positives = This detection may also be triggered by legitimate applications and numerous service accounts, which often end with a $ sign. To manage this, it's advised to check the service account's activities and, if they are valid, modify the filter macro to exclude them. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] [savedsearch://ESCU - Detect Webshell Exploit Behavior - Rule] @@ -5308,7 +5458,7 @@ asset_type = Endpoint confidence = medium explanation = This search is used to detect the abuse of web applications by adversaries. Adversaries may install a backdoor or script onto web servers by exploiting known vulnerabilities or misconfigruations. Web shells are used to establish persistent access to systems and provide a set of executable functions or a command-line interface on the system hosting the Web server. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1505", "T1505.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.003"], "nist": ["DE.CM"]} known_false_positives = Legitimate OS functions called by vendor applications, baseline the environment and filter before enabling. Recommend throttle by dest/process_name providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5323,7 +5473,7 @@ All event subscriptions have three components \ 1. Binding - Registers a filter to a consumer. EventID equals 21 \ Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription. how_to_implement = To successfully implement this search, you need to be ingesting logs with that provide WMI Event Subscription from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA and have enabled EventID 19, 20 and 21. Tune and filter known good to limit the volume. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.003", "T1546"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.003", "T1546"], "nist": ["DE.CM"]} known_false_positives = It is possible some applications will create a consumer and may be required to be filtered. For tuning, add any additional LOLBin's for further depth of coverage. providing_technologies = null @@ -5333,7 +5483,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for specific command-line arguments that may indicate the execution of tools made by Nirsoft, which are legitimate, but may be abused by attackers. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1072"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1072"], "nist": ["DE.CM"]} known_false_positives = While legitimate, these NirSoft tools are prone to abuse. You should verfiy that the tool was used for a legitimate purpose. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5343,7 +5493,7 @@ asset_type = Endpoint confidence = medium explanation = this search is to identify modification in registry to disable AMSI windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = network operator may disable this feature of windows but not so common. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5353,7 +5503,7 @@ asset_type = Endpoint confidence = medium explanation = This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = admin or user may choose to disable windows defender product providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5363,7 +5513,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the BlockAtFirstSeen feature where it blocks suspicious files the first time seen on the host. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = admin or user may choose to disable windows defender product providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5373,7 +5523,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is intended to detect a suspicious modification of registry to disable windows defender features. This technique attempts to bypass or evade detection from Windows Defender AV, specifically the Enhanced Notification feature where a user or admin would receive alerts. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = user may choose to disable windows defender AV providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5383,7 +5533,7 @@ asset_type = Endpoint confidence = medium explanation = This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = admin or user may choose to disable windows defender product providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5393,7 +5543,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is intended to detect a suspicious modification of registry to disable Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV product, specifically the spynet reporting for Defender telemetry. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = admin or user may choose to disable windows defender product providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5403,7 +5553,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the feature that submits samples for further analysis. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = admin or user may choose to disable windows defender product providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5413,7 +5563,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to identify modification in registry to disable ETW windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = network operator may disable this feature of windows but not so common. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5423,7 +5573,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect execution of wevtutil.exe to disable logs. This technique was seen in several ransomware to disable the event logs to evade alerts and detections. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"]} known_false_positives = network operator may disable audit event logs for debugging purposes. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5433,7 +5583,7 @@ asset_type = Endpoint confidence = medium explanation = This search identifies modification of registry to disable the regedit or registry tools of the windows operating system. Since registry tool is a swiss knife in analyzing registry, malware such as RAT or trojan Spy disable this application to prevent the removal of their registry entry such as persistence, file less components and defense evasion. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} known_false_positives = admin may disable this application for non technical user. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5443,7 +5593,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a suspicious commandline to disable existing schedule task. This technique is used by adversaries or commodity malware like IcedID to disable security application (AV products) in the targetted host to evade detections. This TTP is a good pivot to check further why and what other process run before and after this detection. check which process execute the commandline and what task is disabled. parent child process is quite valuable in this scenario too. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = admin may disable problematic schedule task providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5453,7 +5603,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a suspicious registry modification to disable security audit logs. This technique was shared by a researcher to disable Security logs of windows by adding this registry. The Windows will think it is WinPE and will not log any event to the Security Log how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} known_false_positives = Unknown. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5463,7 +5613,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic is to identify a modification in the Windows registry to prevent users from seeing all the files with hidden attributes. This event or techniques are known on some worm and trojan spy malware that will drop hidden files on the infected machine. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1564.001", "T1562.001", "T1564", "T1562", "T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.001", "T1562.001", "T1564", "T1562", "T1112"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5473,7 +5623,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a suspicious modification of registry to disable UAC remote restriction. This technique was well documented in Microsoft page where attacker may modify this registry value to bypassed UAC feature of windows host. This is a good indicator that some tries to bypassed UAC to suspicious process or gain privilege escalation. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} known_false_positives = admin may set this policy for non-critical machine. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5483,7 +5633,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5493,7 +5643,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to identifies a modification in registry to disable the windows denfender real time behavior monitoring. This event or technique is commonly seen in RAT, bot, or Trojan to disable AV to evade detections. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = admin or user may choose to disable this windows features. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5503,7 +5653,7 @@ asset_type = Endpoint confidence = medium explanation = The following search identifies a modification of registry to disable the smartscreen protection of windows machine. This is windows feature provide an early warning system against website that might engage in phishing attack or malware distribution. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = admin or user may choose to disable this windows features. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5513,7 +5663,7 @@ asset_type = endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUser` commandlet with specific parameters. `Get-ADUser` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Get-ADUser` is used to query for domain users. With the appropiate parameters, Get-ADUser allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\ Red Teams and adversaries alike use may abuse Get-ADUSer to enumerate these accounts and attempt to crack their passwords offline. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use search for accounts with Kerberos Pre Authentication disabled for legitimate purposes. providing_technologies = ["Microsoft Windows"] @@ -5523,7 +5673,7 @@ asset_type = endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet with specific parameters. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows Active Directory networks. As the name suggests, `Get-DomainUser` is used to identify domain users and combining it with `-PreauthNotRequired` allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\ Red Teams and adversaries alike use may leverage PowerView to enumerate these accounts and attempt to crack their passwords offline. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use PowerView for troubleshooting providing_technologies = ["Microsoft Windows"] @@ -5533,7 +5683,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} known_false_positives = admin may disable this application for non technical user. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5543,7 +5693,7 @@ asset_type = Endpoint confidence = medium explanation = this search is to identify registry modification to disable control panel window. This technique is commonly seen in malware to prevent their artifacts , persistence removed on the infected machine. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} known_false_positives = admin may disable this application for non technical user. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5553,7 +5703,7 @@ asset_type = Endpoint confidence = medium explanation = This particular behavior is typically executed when an adversaries or malware gains access to an endpoint and beings to perform execution and to evade detections. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = admin or user may choose to disable windows defender product providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5563,7 +5713,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} known_false_positives = admin may disable firewall during testing or fixing network problem. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5573,7 +5723,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to identify registry modification to disable folder options feature of windows to show hidden files, file extension and etc. This technique used by malware in combination if disabling show hidden files feature to hide their files and also to hide the file extension to lure the user base on file icons or fake file extensions. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = admin may disable this application for non technical user. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5583,7 +5733,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic will identify a suspicious command-line that disables a user account using the `net.exe` utility native to Windows. This technique may used by the adversaries to interrupt availability of such users to do their malicious act. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1531"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5593,7 +5743,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to identify modification of registry to disable run application in window start menu. this application is known to be a helpful shortcut to windows OS user to run known application and also to execute some reg or batch script. This technique is used malware to make cleaning of its infection more harder by preventing known application run easily through run shortcut. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} known_false_positives = admin may disable this application for non technical user. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5603,7 +5753,7 @@ asset_type = Endpoint confidence = medium explanation = The search looks for modifications to registry keys that control the enforcement of Windows User Account Control (UAC). how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} known_false_positives = This registry key may be modified via administrators to implement a change in system policy. This type of change should be a very rare occurrence. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5613,7 +5763,7 @@ asset_type = Endpoint confidence = medium explanation = The following search identifies the modification of registry related in disabling the system restore of a machine. This event or behavior are seen in some RAT malware to make the restore of the infected machine difficult and keep their infection on the box. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} known_false_positives = in some cases admin can disable systemrestore on a machine. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5623,7 +5773,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to identifies modification of registry to disable the task manager of windows operating system. this event or technique are commonly seen in malware such as RAT, Trojan, TrojanSpy or worm to prevent the user to terminate their process. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = admin may disable this application for non technical user. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5633,7 +5783,7 @@ asset_type = Endpoint confidence = medium explanation = This detection looks for the deletion of registry keys which disable LSA protection and MS Defender Device Guard. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1556"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.CM"]} known_false_positives = Potential to be triggered by an administrator disabling protections for troubleshooting purposes. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5643,7 +5793,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies DLLHost.exe with no command line arguments with a network connection. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, some legitimate third party applications may use a moved copy of dllhost, triggering a false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5653,7 +5803,7 @@ asset_type = Endpoint confidence = medium explanation = this search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type, TXT, A, AAAA, that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1048"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048"], "nist": ["DE.CM"]} known_false_positives = admin nslookup usage providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5663,7 +5813,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover domain users. The `user` argument returns a list of all users registered in the domain. Red Teams and adversaries alike engage in remote system discovery for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5673,7 +5823,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for domain users. Red Teams and adversaries alike may use net.exe to enumerate domain users for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5683,7 +5833,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain users. Red Teams and adversaries alike use wmic.exe to enumerate domain users for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5693,7 +5843,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `nltest.exe` with command-line arguments utilized to discover remote systems. The arguments `/dclist:` and '/dsgetdc:', can be used to return a list of all domain controllers. Red Teams and adversaries alike may use nltest.exe to identify domain controllers in a Windows Domain for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5703,7 +5853,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command line return a list of all domain controllers in a Windows domain. Red Teams and adversaries alike use *.exe to identify remote systems for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5713,7 +5863,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain groups for situational awareness and Active Directory Discovery. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use Adsisearcher for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -5723,7 +5873,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to query for domain groups. The argument `group`, returns a list of all domain groups. Red Teams and adversaries alike use may leverage dsquery.exe to enumerate domain groups for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5733,7 +5883,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `net.exe` with command-line arguments utilized to query for domain groups. The argument `group /domain`, returns a list of all domain groups. Red Teams and adversaries alike use net.exe to enumerate domain groups for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5743,7 +5893,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain groups. The arguments utilized in this command return a list of all domain groups. Red Teams and adversaries alike use wmic.exe to enumerate domain groups for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5753,7 +5903,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic will identify a suspicious download by the Telegram application on a Windows system. This behavior was identified on a honeypot where the adversary gained access, installed Telegram and followed through with downloading different network scanners (port, bruteforcer, masscan) to the system and later used to mapped the whole network and further move laterally. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and TargetFilename from your endpoints or Events that monitor filestream events which is happened when process download something. (EventCode 15) If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} known_false_positives = normal download of file in telegram app. (if it was a common app in network) providing_technologies = null @@ -5763,7 +5913,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect dropping a suspicious file named as "license.dat" in %appdata%. This behavior seen in latest IcedID malware that contain the actual core bot that will be injected in other process to do banking stealing. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -5778,7 +5928,7 @@ DSQuery.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64` The following DLL(s) are loaded when DSQuery.exe is launched `dsquery.dll`. If found loaded by another process, it is possible dsquery is running within that process context in memory.\ In addition to trust discovery, review parallel processes for additional behaviors performed. Identify the parent process and capture any files (batch files, for example) being used. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} known_false_positives = Limited false positives. If there is a true false positive, filter based on command-line or parent process. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5788,7 +5938,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries to exploit the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. The detection is made by monitoring logs with process information from endpoints and identifying instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump. This indicates potential LSASS dumping attempts used by threat actors to obtain valuable credentials. The detection is important because credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. No legitimate use of this technique has been identified yet. This behavior is often part of more extensive attack campaigns and is associated with numerous threat groups that use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. False positives can occur since legitimate uses of the LSASS process can cause benign activities to be flagged. Next steps include reviewing the processes involved in the LSASS dumping attempt after triage and inspecting any relevant on-disk artifacts and concurrent processes to identify the attack source. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} known_false_positives = None identified. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5799,7 +5949,7 @@ confidence = medium explanation = Detect procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. This query does not monitor for the internal name (original_file_name=procdump) of the PE or look for procdump64.exe. Modify the query as needed.\ During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} known_false_positives = None identified. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5809,7 +5959,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for specific elevated domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5819,7 +5969,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroupMember` commandlet. `Get-DomainGroupMember` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroupMember` is used to list the members of an specific domain group. Red Teams and adversaries alike use PowerView to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this PowerView for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -5829,7 +5979,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for specific domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5839,7 +5989,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a modification to registry to enable rdp to a machine with different port number. This technique was seen in some atttacker tries to do lateral movement and remote access to a compromised machine to gain control of it. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5849,7 +5999,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a suspicious registry modification to enable plain text credential feature of windows. This technique was used by several malware and also by mimikatz to be able to dumpe the a plain text credential to the compromised or target host. This TTP is really a good indicator that someone wants to dump the crendential of the host so it must be a good pivot for credential dumping techniques. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112", "T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112", "T1003"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5859,7 +6009,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic will detect a suspicious Telegram process enumerating all network users in a local group. This technique was seen in a Monero infected honeypot to mapped all the users on the compromised system. EventCode 4798 is generated when a process enumerates a user's security-enabled local groups on a computer or device. how_to_implement = To successfully implement this search, you need to be ingesting logs with the Task Schedule (Exa. Security Log EventCode 4798) endpoints. Tune and filter known instances of process like logonUI used in your environment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Microsoft Windows"] @@ -5869,7 +6019,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the process - `esentutl.exe` - being used to capture credentials stored in ntds.dit or the SAM file on disk. During triage, review parallel processes and determine if legitimate activity. Upon determination of illegitimate activity, take further action to isolate and contain the threat. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"]} known_false_positives = False positives should be limited. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5879,7 +6029,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a registry modification to disable ETW feature of windows. This technique is to evade EDR appliance to evade detections and hide its execution from audit logs. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.006", "T1127", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.006", "T1127", "T1562"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5889,7 +6039,7 @@ asset_type = Endpoint confidence = medium explanation = The following search identifies Eventvwr bypass by identifying the registry modification into a specific path that eventvwr.msc looks to (but is not valid) upon execution. A successful attack will include a suspicious command to be executed upon eventvwr.msc loading. Upon triage, review the parallel processes that have executed. Identify any additional registry modifications on the endpoint that may look suspicious. Remediate as necessary. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} known_false_positives = Some false positives may be present and will need to be filtered. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5899,7 +6049,7 @@ asset_type = Endpoint confidence = medium explanation = The following detection identifies Microsoft Excel spawning PowerShell. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). PowerShell spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited, but if any are present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5909,7 +6059,7 @@ asset_type = Endpoint confidence = medium explanation = The following detection identifies Microsoft Excel spawning Windows Script Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). `cscript.exe` or `wscript.exe` default location is `c:\windows\system32\` or c:windows\syswow64`. `cscript.exe` or `wscript.exe` spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line executed will most likely be obfuscated and captured via another detection. During triage, review parallel processes and identify any files that may have been written. Review the reputation of the remote destination and block accordingly. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited, but if any are present, filter as needed. In some instances, `cscript.exe` is used for legitimate business practices. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5919,7 +6069,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic will identify suspicious series of command-line to disable several services. This technique is seen where the adversary attempts to disable security app services or other malware services to complete the objective on the compromised system. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5929,7 +6079,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic will identify suspicious series of process executions. We have observed that post exploit framework tools like Koadic and Meterpreter will launch an excessive number of processes with distinct file paths from Windows\Temp to execute actions on objective. This behavior is extremely anomalous compared to typical application behaviors that use Windows\Temp. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} known_false_positives = Many benign applications will create processes from executables in Windows\Temp, although unlikely to exceed the given threshold. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5939,7 +6089,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic will identify excessive file deletion events in the Windows Defender folder. This technique was seen in the WhisperGate malware campaign in which adversaries abused Nirsofts advancedrun.exe to gain administrative privilege to then execute PowerShell commands to delete files within the Windows Defender application folder. This behavior is a good indicator the offending process is trying to corrupt a Windows Defender installation. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, TargetFilename, and ProcessID executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} known_false_positives = Windows Defender AV updates may cause this alert. Please update the filter macros to remove false positives. providing_technologies = null @@ -5949,7 +6099,7 @@ asset_type = Endpoint confidence = medium explanation = This detection targets behaviors observed when threat actors have used sc.exe to modify services. We observed malware in a honey pot spawning numerous sc.exe processes in a short period of time, presumably to impair defenses, possibly to block others from compromising the same machine. This detection will alert when we see both an excessive number of sc.exe processes launched with specific commandline arguments to disable the start of certain services. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} known_false_positives = Legitimate programs and administrators will execute sc.exe with the start disabled flag. It is possible, but unlikely from the telemetry of normal Windows operation we observed, that sc.exe will be called more than seven times in a short period of time. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5959,7 +6109,7 @@ asset_type = Endpoint confidence = medium explanation = This detection targets behaviors observed in post exploit kits like Meterpreter and Koadic that are run in memory. We have observed that these tools must invoke an excessive number of taskhost.exe and taskhostex.exe processes to complete various actions (discovery, lateral movement, etc.). It is extremely uncommon in the course of normal operations to see so many distinct taskhost and taskhostex processes running concurrently in a short time frame. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} known_false_positives = Administrators, administrative actions or certain applications may run many instances of taskhost and taskhostex concurrently. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5969,7 +6119,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies suspicious series of attempt to kill multiple services on a system using either `net.exe` or `sc.exe`. This technique is use by adversaries to terminate security services or other related services to continue there objective and evade detections. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5979,7 +6129,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe` or `icacls.exe` application to change file or folder permission. This behavior is commonly seen where the adversary attempts to impair some users from deleting or accessing its malware components or artifact from the compromised system. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1222"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.AE"]} known_false_positives = Administrators or administrative scripts may use this application. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5989,7 +6139,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies excessive usage of `net.exe` or `net1.exe` within a bucket of time (1 minute). This behavior was seen in a Monero incident where the adversary attempts to create many users, delete and disable users as part of its malicious behavior. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1531"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.AE"]} known_false_positives = unknown. Filter as needed. Modify the time span as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5999,7 +6149,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type (TXT, A, AAAA) that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of nslookup.exe may be used. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1048"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -6009,7 +6159,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious excessive usage of sc.exe in a host machine. This technique was seen in several ransomware , xmrig and other malware to create, modify, delete or disable a service may related to security application or to gain privilege escalation. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed taskkill.exe may be used. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} known_false_positives = excessive execution of sc.exe is quite suspicious since it can modify or execute app in high privilege permission. providing_technologies = null @@ -6019,7 +6169,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies excessive usage of `taskkill.exe` application. This application is commonly used by adversaries to evade detections by killing security product processes or even other processes to evade detection. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} known_false_positives = Unknown. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6033,7 +6183,7 @@ A suspicious event will have `PowerShell`, the method `POST` and `autodiscover.j An event will look similar to `POST /autodiscover/autodiscover.json a=dsxvu@fnsso.flq/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3d...` (abbreviated) \ Review the source attempting to perform this activity against your environment. In addition, review PowerShell logs and access recently granted to Exchange roles. how_to_implement = The following analytic requires on-premise Exchange to be logging to Splunk using the TA - https://splunkbase.splunk.com/app/3225. Ensure logs are parsed correctly, or tune the analytic for your environment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = Limited false positives, however, tune as needed. providing_technologies = null @@ -6047,7 +6197,7 @@ Module - New-MailboxExportRequest will begin the process of exporting contents o Module - New-managementroleassignment can assign a management role to a management role group, management role assignment policy, user, or universal security group (USG). \ Module - New-MailboxSearch cmdlet to create a mailbox search and either get an estimate of search results, place search results on In-Place Hold or copy them to a Discovery mailbox. You can also place all contents in a mailbox on hold by not specifying a search query, which accomplishes similar results as Litigation Hold. \ Module - Get-Recipient cmdlet to view existing recipient objects in your organization. This cmdlet returns all mail-enabled objects (for example, mailboxes, mail users, mail contacts, and distribution groups). how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -6057,7 +6207,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The Trickbot malware family also implements this behavior to try to infect other machines in the infected network. how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"]} known_false_positives = System Administrators may use looks like PsExec for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list. providing_technologies = ["Microsoft Windows"] @@ -6067,7 +6217,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies potentially malicious executables or scripts by examining a list of suspicious file paths on Windows Operating System. The purpose of this technique is to uncover files with known file extensions that could be used by adversaries to evade detection and persistence. The suspicious file paths selected for investigation are typically uncommon and uncommonly associated with executable or script files. By scrutinizing these paths, we can proactively identify potential security threats and enhance overall system security. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} known_false_positives = Administrators may allow creation of script or exe in the paths specified. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6077,7 +6227,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic will identify suspicious process of cscript.exe where it tries to execute javascript using jscript.encode CLSID (COM OBJ). This technique was seen in ransomware (reddot ransomware) where it execute javascript with this com object with combination of amsi disabling technique. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.005"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6087,7 +6237,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for processes launched from files that have double extensions in the file name. This is typically done to obscure the "real" file extension and make it appear as though the file being accessed is a data file, as opposed to executable content. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1036", "T1036.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003"], "nist": ["DE.CM"]} known_false_positives = None identified. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6097,7 +6247,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of `reg.exe` exporting Windows Registry hives containing credentials. Adversaries may use this technique to export registry hives for offline credential access attacks. Typically found executed from a untrusted process or script. Upon execution, a file will be written to disk. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} known_false_positives = It is possible some agent based products will generate false positives. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6117,7 +6267,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects a potential suspicious modification of firewall rule allowing to execute specific application. This technique was identified when an adversary and red teams to bypassed firewall file execution restriction in a targetted host. Take note that this event or command can run by administrator during testing or allowing legitimate tool or application. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} known_false_positives = A network operator or systems administrator may utilize an automated or manual execution of this firewall rule that may generate false positives. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6127,7 +6277,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for child processes spawned by zoom.exe or zoom.us that has not previously been seen. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1068"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.AE"]} known_false_positives = A new child process of zoom isn't malicious by that fact alone. Further investigation of the actions of the child process is needed to verify any malicious behavior is taken. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6137,7 +6287,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for the first and last time a Windows service is seen running in your environment. This table is then cached. how_to_implement = While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows system event logs in order for this search to execute successfully. You should run the baseline search `Previously Seen Running Windows Services - Initial` to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search `Previously Seen Running Windows Services - Update` to keep this table up to date and to age out old Windows Services. Please update the `previously_seen_windows_services_window` macro to adjust the time window. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} known_false_positives = A previously unseen service is not necessarily malicious. Verify that the service is legitimate and that was installed by a legitimate process. providing_technologies = null @@ -6151,7 +6301,7 @@ explanation = Fodhelper.exe has a known UAC bypass as it attempts to look for sp 1. `HKCU:\Software\Classes\ms-settings\shell\open\command\(default)`\ Upon triage, fodhelper.exe will have a child process and read access will occur on the registry keys. Isolate the endpoint and review parallel processes for additional behavior. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112", "T1548.002", "T1548"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112", "T1548.002", "T1548"], "nist": ["DE.CM"]} known_false_positives = Limited to no false positives are expected. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6161,7 +6311,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious fsutil process to zeroing a target file. This technique was seen in lockbit ransomware where it tries to zero out its malware path as part of its defense evasion after encrypting the compromised host. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6171,7 +6321,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `powershell.exe` executing the Get-ADDefaultDomainPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6181,7 +6331,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADDefaultDomainPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -6191,7 +6341,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. The `Get-AdUser' commandlet returns a list of all domain users. Red Teams and adversaries alike may use this commandlet to identify remote systems for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6201,7 +6351,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGUser` commandlet. The `Get-AdUser` commandlet is used to return a list of all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -6211,7 +6361,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `powershell.exe` executing the Get ADUserResultantPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6221,7 +6371,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUserResultantPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -6231,7 +6381,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `powershell.exe` executing the `Get-DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6241,7 +6391,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -6251,7 +6401,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} known_false_positives = Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6263,7 +6413,7 @@ explanation = The following analytic utilizes PowerShell Script Block Logging (E This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} known_false_positives = It is possible certain system management frameworks utilize this command to gather trust information. providing_technologies = ["Microsoft Windows"] @@ -6273,7 +6423,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain users for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6283,7 +6433,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet. `GetDomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain users for situational awareness and Active Directory Discovery. how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -6293,7 +6443,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} known_false_positives = Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6305,7 +6455,7 @@ explanation = The following analytic utilizes PowerShell Script Block Logging (E This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1482", "T1059.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1482", "T1059.001"], "nist": ["DE.CM"]} known_false_positives = False positives may be present. Tune as needed. providing_technologies = ["Microsoft Windows"] @@ -6315,7 +6465,7 @@ asset_type = Endpoint confidence = medium explanation = The following hunting analytic identifies the use of `Get-WMIObject Win32_Group` being used with PowerShell to identify local groups on the endpoint. \ Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ During triage, review parallel processes and identify any further suspicious behavior. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} known_false_positives = False positives may be present. Tune as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6327,7 +6477,7 @@ explanation = The following analytic utilizes PowerShell Script Block Logging (E This analytic identifies the usage of `Get-WMIObject Win32_Group`, which is typically used as a way to identify groups on the endpoint. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} known_false_positives = False positives may be present. Tune as needed. providing_technologies = ["Microsoft Windows"] @@ -6337,7 +6487,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-AdComputer' commandlet returns a list of all domain computers. Red Teams and adversaries alike may use this commandlet to identify remote systems for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6347,7 +6497,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -6357,7 +6507,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-AdGroup` commandlnet is used to return a list of all groups available in a Windows Domain. Red Teams and adversaries alike may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6367,7 +6517,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -6377,7 +6527,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `powerhsell.exe` with command-line arguments that execute the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6387,7 +6537,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -6397,7 +6547,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use PowerView for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6407,7 +6557,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainComputer` commandlet. `GetDomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use PowerView for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -6417,7 +6567,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use PowerView for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6427,7 +6577,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainController` commandlet. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -6437,7 +6587,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6447,7 +6597,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroup` commandlet. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroup` is used to query domain groups. Red Teams and adversaries may leverage this function to enumerate domain groups for situational awareness and Active Directory Discovery. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use this PowerView functions for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -6457,7 +6607,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for local users. The `Get-LocalUser` commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6467,7 +6617,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-LocalUser` commandlet. The `Get-LocalUser` commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -6477,7 +6627,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `powershell.exe` with command-line utilized to get a listing of network connections on a compromised system. The `Get-NetTcpConnection` commandlet lists the current TCP connections. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6487,7 +6637,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-NetTcpconnection ` commandlet. This commandlet is used to return a listing of network connections on a compromised system. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -6497,7 +6647,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-WmiObject` commandlet combined with the `DS_Computer` parameter can be used to return a list of all domain computers. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6507,7 +6657,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_Computer` class parameter leverages WMI to query for all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -6517,7 +6667,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-WmiObject` commandlet combined with the `-class ds_group` parameter can be used to return the full list of groups in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6527,7 +6677,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters . The `DS_Group` parameter leverages WMI to query for all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -6537,7 +6687,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain users. The `Get-WmiObject` commandlet combined with the `-class ds_user` parameter can be used to return the full list of users in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain users for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6547,7 +6697,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_User` class parameter leverages WMI to query for all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain users for situational awareness and Active Directory Discovery. how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -6557,7 +6707,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query local users. The `Get-WmiObject` commandlet combined with the `Win32_UserAccount` parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6567,7 +6717,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters. The `Win32_UserAccount` parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -6577,7 +6727,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies gpupdate.exe with no command line arguments and with a network connection. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6587,7 +6737,7 @@ asset_type = endpoint confidence = medium explanation = The following analytic identifies headless browser activity accessing mockbin.org or mocky.io. Mockbin.org and mocky.io are web services that allow users to mock HTTP requests and responses. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing and the presence of mockbin.org or mocky.io in the process. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1564.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003"], "nist": ["DE.CM"]} known_false_positives = False positives are not expected with this detection, unless within the organization there is a legitimate need for headless browsing accessing mockbin.org or mocky.io. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6597,7 +6747,7 @@ asset_type = endpoint confidence = medium explanation = The following hunting analytic is designed to detect the usage of headless browsers in an organization. Headless browsers are web browsers without a graphical user interface and are operated via a command line interface or network requests. They are often used for automating tasks but can also be utilized by adversaries for malicious activities such as web scraping, automated testing, and performing actions on web pages without detection. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1564.003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003"], "nist": ["DE.AE"]} known_false_positives = This hunting analytic is meant to assist with baselining and understanding headless browsing in use. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6607,7 +6757,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies a suspicious registry modification to hide a user account on the Windows Login screen. This technique was seen in some tradecraft where the adversary will create a hidden user account with Admin privileges in login screen to avoid noticing by the user that they already compromise and to persist on that said machine. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = Unknown. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6617,7 +6767,7 @@ asset_type = confidence = medium explanation = Attackers leverage an existing Windows binary, attrib.exe, to mark specific as hidden by using specific flags so that the victim does not see the file. The search looks for specific command-line arguments to detect the use of attrib.exe to hide files. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1222", "T1222.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222", "T1222.001"], "nist": ["DE.CM"]} known_false_positives = Some applications and users may legitimately use attrib.exe to interact with the files. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6627,7 +6777,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a suspicious high frequency copying/moving of files in network share as part of information sabotage. This anomaly event can be a good indicator of insider trying to sabotage data by transfering classified or internal files within network share to exfitrate it after or to lure evidence of insider attack to other user. This behavior may catch several noise if network share is a common place for classified or internal document processing. how_to_implement = o successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1537"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.AE"]} known_false_positives = this behavior may seen in normal transfer of file within network if network share is common place for sharing documents. providing_technologies = ["Microsoft Windows"] @@ -6637,7 +6787,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is designed to identify a high frequency of process termination events on a computer in a short period of time, which is a common behavior of ransomware malware before encrypting files. This technique is designed to avoid an exception error while accessing (docs, images, database and etc..) in the infected machine for encryption. how_to_implement = To successfully implement this search, you need to be ingesting logs with the Image (process full path of terminated process) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} known_false_positives = admin or user tool that can terminate multiple process. providing_technologies = null @@ -6647,7 +6797,7 @@ asset_type = Endpoint confidence = medium explanation = The hunting analytic outlined below is designed to detect any version of the 3CXDesktopApp, also known as the 3CX Desktop App, operating on either Mac or Windows systems. It is important to note that this particular analytic employs the Endpoint datamodel Processes node, which means that the file version information is not provided. Recently, 3CX has identified a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1195.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002"], "nist": ["DE.AE"]} known_false_positives = There may be false positives generated due to the reliance on version numbers for identification purposes. Despite this limitation, the primary goal of this approach is to aid in the detection of the software within the environment. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6657,7 +6807,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies instances where an adversary modifies the security permissions of a particular file or directory. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The purpose of this behavior is to actively evade detection and impede access to their associated files. By identifying these security permission changes, we can enhance our ability to detect and respond to potential threats, mitigating the impact of malicious activities on the system. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} known_false_positives = Unknown. It is possible some administrative scripts use ICacls. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6667,7 +6817,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies adversaries who manipulate the security permissions of specific files or directories by granting additional access. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The objective behind this behavior is to actively evade detection mechanisms and tightly control access to their associated files. By identifying these security permission modifications, we can improve our ability to identify and respond to potential threats, thereby minimizing the impact of malicious activities on the system. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} known_false_positives = Unknown. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6677,7 +6827,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious file creation namely passff.tar and cookie.tar. This files are possible archived of stolen browser information like history and cookies in a compromised machine with IcedID. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -6687,7 +6837,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} known_false_positives = Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6697,7 +6847,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic focuses on identifying suspicious command-line parameters commonly associated with the use of Impacket wmiexec.py. Impacket is a set of Python classes designed for working with Microsoft network protocols, and it includes several scripts like wmiexec.py, smbexec.py, dcomexec.py, and atexec.py that enable command execution on remote endpoints. These scripts typically utilize administrative shares and hardcoded parameters, which can serve as signatures to detect their usage. Both Red Teams and adversaries may employ Impacket tools for lateral movement and remote code execution purposes. By monitoring for these specific command-line indicators, the analytic aims to detect potentially malicious activities related to Impacket tool usage. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} known_false_positives = Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6707,7 +6857,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} known_false_positives = Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6717,7 +6867,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the usage of the `Enter-PSSession`. This commandlet can be used to open an interactive session on a remote endpoint leveraging the WinRM protocol. Red Teams and adversaries alike may abuse WinRM and `Enter-PSSession` for lateral movement and remote code execution. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} known_false_positives = Administrators may leverage WinRM and `Enter-PSSession` for administrative and troubleshooting tasks. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible. providing_technologies = ["Microsoft Windows"] @@ -6727,7 +6877,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic identifies a Java user agent performing a GET request for a .class file from the remote site. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} known_false_positives = Filtering may be required in some instances, filter as needed. providing_technologies = null @@ -6737,7 +6887,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the process java writing a .jsp to disk. This is potentially indicative of a web shell being written to disk. Modify and tune the analytic based on data ingested. For instance, it may be worth running a broad query for jsp file writes first before performing a join. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = False positives are possible and filtering may be required. Restrict by assets or filter known jsp files that are common for the environment. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6747,7 +6897,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a execution of jscript using cscript process. Commonly when a user run jscript file it was executed by wscript.exe application. This technique was seen in FIN7 js implant to execute its malicious script using cscript process. This behavior is uncommon and a good artifacts to check further anomalies within the network how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6757,7 +6907,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain. This analytic looks for a specific combination of the Ticket_Options field based on common kerberoasting tools. Defenders should be aware that it may be possible for a Kerberoast attack to use different Ticket_Options. how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.CM"]} known_false_positives = Older systems that support kerberos RC4 by default like NetApp may generate false positives. Filter as needed providing_technologies = ["Microsoft Windows"] @@ -6767,7 +6917,7 @@ asset_type = endpoint confidence = medium explanation = The following analytic leverages Windows Security Event 4738, `A user account was changed`, to identify a change performed on a domain user object that disables Kerberos Pre-Authentication. Disabling the Pre Authentication flag in the UserAccountControl property allows an adversary to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges. how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `User Account Management` within `Account Management` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} known_false_positives = Unknown. providing_technologies = ["Microsoft Windows"] @@ -6777,7 +6927,7 @@ asset_type = endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Set-ADAccountControl` commandlet with specific parameters. `Set-ADAccountControl` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Set-ADAccountControl` is used to modify User Account Control values for an Active Directory domain account. With the appropiate parameters, Set-ADAccountControl allows adversaries to disable Kerberos Pre-Authentication for an account to to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, Administrators may need to set this flag for legitimate purposes. providing_technologies = ["Microsoft Windows"] @@ -6787,7 +6937,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential Kerberos Service Ticket request related to a Golden Ticket attack. Adversaries who have obtained the Krbtgt account NTLM password hash may forge a Kerberos Granting Ticket (TGT) to obtain unrestricted access to an Active Directory environment. Armed with a Golden Ticket, attackers can request service tickets to move laterally and execute code on remote systems. Looking for Kerberos Service Ticket requests using the legacy RC4 encryption mechanism could represent the second stage of a Golden Ticket attack. RC4 usage should be rare on a modern network since Windows Vista & Windows Sever 2008 and newer support AES Kerberos encryption.\ Defenders should note that if an attacker does not leverage the NTLM password hash but rather the AES key to create a golden ticket, this detection may be bypassed. how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1558", "T1558.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.001"], "nist": ["DE.CM"]} known_false_positives = Based on Microsoft documentation, legacy systems or applications will use RC4-HMAC as the default encryption for Kerberos Service Ticket requests. Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256. providing_technologies = ["Microsoft Windows"] @@ -6797,7 +6947,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic leverages Event 4768, A Kerberos authentication ticket (TGT) was requested, to identify a TGT request with encryption type 0x17, or RC4-HMAC. This encryption type is no longer utilized by newer systems and could represent evidence of an OverPass The Hash attack. Similar to Pass The Hash, OverPass The Hash is a form of credential theft that allows adversaries to move laterally or consume resources in a target network. Leveraging this attack, an adversary who has stolen the NTLM hash of a valid domain account is able to authenticate to the Kerberos Distribution Center(KDC) on behalf of the legitimate account and obtain a Kerberos TGT ticket. Depending on the privileges of the compromised account, this ticket may be used to obtain unauthorized access to systems and other network resources. how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1550"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.CM"]} known_false_positives = Based on Microsoft documentation, legacy systems or applications will use RC4-HMAC as the default encryption for TGT requests. Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256. providing_technologies = ["Microsoft Windows"] @@ -6807,7 +6957,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic leverages Event Id 4768, A Kerberos authentication ticket (TGT) was requested, to identify one source endpoint trying to obtain an unusual number Kerberos TGT ticket for non existing users. This behavior could represent an adversary abusing the Kerberos protocol to perform a user enumeration attack against an Active Directory environment. When Kerberos is sent a TGT request with no preauthentication for an invalid username, it responds with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN or 0x6. Red teams and adversaries alike may abuse the Kerberos protocol to validate a list of users use them to perform further attacks.\ The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number requests. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1589", "T1589.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1589", "T1589.002"], "nist": ["DE.AE"]} known_false_positives = Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. providing_technologies = ["Microsoft Windows"] @@ -6817,7 +6967,7 @@ asset_type = Endpoint confidence = medium explanation = This search detects a suspicioous termination of known services killed by ransomware before encrypting files in a compromised machine. This technique is commonly seen in most of ransomware now a days to avoid exception error while accessing the targetted files it wants to encrypts because of the open handle of those services to the targetted file. how_to_implement = To successfully implement this search, you need to be ingesting logs with the 7036 EventCode ScManager in System audit Logs from your endpoints. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} known_false_positives = Admin activities or installing related updates may do a sudden stop to list of services we monitor. providing_technologies = null @@ -6827,7 +6977,7 @@ asset_type = endpoint confidence = medium explanation = This analytic is to detect a deletion of ssh key in a linux machine. attacker may delete or modify ssh key to impair some security features or act as defense evasion in compromised linux machine. This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6837,7 +6987,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic aims to detect unauthorized activities through suspicious file creation in recognized cron table directories, prevalent Unix-based locations for scheduling tasks. This behavior is often exploited by nefarious entities like malware or threat actors, including red teamers, to establish persistence on a targeted or compromised host. The analogy to Windows-based scheduled tasks helps explain the utility of a crontab or cron job. To enhance clarity and actionable intelligence, the anomaly query flags the anomaly, urging further investigation into the added file's details. A cybersecurity analyst should consider additional data points such as the user identity involved, the file's nature and purpose, file origin, timestamp, and any changes in system behavior post file execution. This comprehensive understanding aids in accurately determining the file's legitimacy, facilitating prompt and effective response actions. how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can create file in crontab folders for automation purposes. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6847,7 +6997,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for commands to create user accounts on the linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to persist on the targeted or compromised host by creating new user with an elevated privilege. This Hunting query may catch normal creation of user by administrator so filter is needed. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6857,7 +7007,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. This command line parameter can be abused by malware like Industroyer2, as well as adversaries and red teamers, to add a crontab entry for executing their malicious code on a schedule of their choice. However, it's important to note that administrators or normal users may also use this command for legitimate automation purposes, so filtering is required to minimize false positives. Identifying the modification of cron jobs using list parameters is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is detected, further investigation should be conducted to analyze the added cron job, its associated command, and the impact it may have on the system. This includes examining the purpose of the job, reviewing any on-disk artifacts, and identifying any related processes or activities occurring concurrently. The impact of a true positive can range from unauthorized execution of malicious code to data destruction or other damaging outcomes. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6867,7 +7017,7 @@ asset_type = Endpoint confidence = medium explanation = The apt-get is a command line tool for interacting with the Advanced Package Tool (APT) library (a package management system for Linux distributions). It allows you to search for, install, manage, update, and remove software. The tool does not build software from the source code. If sudo right is given to the tool for user, then the user can run system commands as root and possibly get a root shell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives may be present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6877,7 +7027,7 @@ asset_type = Endpoint confidence = medium explanation = Advanced Package Tool, more commonly known as APT, is a collection of tools used to install, update, remove, and otherwise manage software packages on Debian and its derivative operating systems, including Ubuntu and Linux Mint. If sudo right is given to the tool for user, then the user can run system commands as root and possibly get a root shell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives may be present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6888,7 +7038,7 @@ confidence = medium explanation = The following analytic detects the creation of suspicious configuration files, /etc/at.allow or /etc/at.deny, in Linux. These files are commonly abused by malware, adversaries, or red teamers to establish persistence on compromised hosts. The configuration files determine which users are allowed to execute the "at" application, which is used for scheduling tasks in Linux. Attackers can add their user or a compromised username to these files to execute malicious code using "at." It's important to consider potential false positives as administrators or network operators may create these files for legitimate automation purposes. Adjust the filter macros to minimize false positives.\ Identifying the creation of these configuration files is valuable for a SOC as it indicates potential unauthorized activities or an attacker attempting to establish persistence. If a true positive is found, further investigation is necessary to examine the contents of the created configuration file and determine the source of creation. The impact of a true positive can vary but could result in unauthorized execution of malicious code, data theft, or other detrimental consequences. Analysts should review the file path, creation time, and associated processes to assess the extent of the attack and initiate appropriate response actions. how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can create this file for automation purposes. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6900,7 +7050,7 @@ explanation = The following analytic detects the execution of the "At" applicati During triage, the SOC analyst should review the context surrounding the execution of the "At" application. This includes identifying the user, the parent process responsible for invoking the application, and the specific command-line arguments used. It is important to consider whether the execution is expected behavior by an administrator or network operator for legitimate automation purposes.\ The presence of "At" application execution may indicate an attacker's attempt to maintain unauthorized access to the environment. Immediate investigation and response are necessary to mitigate further risks, identify the attacker's intentions, and prevent potential harm to the organization. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6910,7 +7060,7 @@ asset_type = Endpoint confidence = medium explanation = Awk is mostly used for processing and scanning patterns. It checks one or more files to determine whether any lines fit the specified patterns, and if so, it does the appropriate action. If sudo right is given to AWK binary for the user, then the user can run system commands as root and possibly get a root shell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6920,7 +7070,7 @@ asset_type = Endpoint confidence = medium explanation = BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides minimalist replacements for most of the utilities you usually find in GNU coreutils, util-linux, etc. If sudo right is given to BusyBox application for the user, then the user can run system commands as root and possibly get a root shell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives may be present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6930,7 +7080,7 @@ asset_type = Endpoint confidence = medium explanation = The c89 and cc commands compile, assemble, and link-edit C programs; the cxx or c++ command does the same for C++ programs. The c89 command should be used when compiling C programs that are written according to Standard C. If sudo right is given to c89 application for the user, then the user can run system commands as root and possibly get a root shell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives may be present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6940,7 +7090,7 @@ asset_type = Endpoint confidence = medium explanation = The c99 utility is an interface to the standard C compilation system; it shall accept source code conforming to the ISO C standard. The system conceptually consists of a compiler and link editor. If sudo right is given to ruby application for the user, then the user can run system commands as root and possibly get a root shell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives may be present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6950,7 +7100,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for a commandline that change the file owner to root using chown utility tool. This technique is commonly abuse by adversaries, malware author and red teamers to escalate privilege to the targeted or compromised host by changing the owner of their malicious file to root. This event is not so common in corporate network except from the administrator doing normal task that needs high privilege. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1222.002", "T1222"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222.002", "T1222"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6960,7 +7110,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of Linux Xclip copying data out of the clipboard. Adversaries have utilized this technique to capture passwords, IP addresses, or store payloads. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1115"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1115"], "nist": ["DE.AE"]} known_false_positives = False positives may be present on Linux desktop as it may commonly be used by administrators or end users. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6970,7 +7120,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to look for possible elevation control access using a common known process in linux platform to change the attribute and file ownership. This technique is commonly abused by adversaries, malware author and red teamers to gain persistence or privilege escalation on the target or compromised host. This common process is used to modify file attribute, file ownership or SUID. This tools can be used in legitimate purposes so filter is needed. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6980,7 +7130,7 @@ asset_type = Endpoint confidence = medium explanation = Composer is a tool for dependency management in PHP. It allows you to declare the libraries your project depends on and it will manage (install/update) them for you. If sudo right is given to tool for the user, then the user can run system commands as root and possibly get a root shell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives may be present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6990,7 +7140,7 @@ asset_type = Endpoint confidence = medium explanation = cpulimit is a simple program which attempts to limit the cpu usage of a process (expressed in percentage, not in cpu time). This is useful to control batch jobs, when you don't want them to eat too much cpu. If sudo right is given to the program for the user, then the user can run system commands as root and possibly get a root shell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives may be present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7000,7 +7150,7 @@ asset_type = Endpoint confidence = medium explanation = csvtool is an easy to use command-line tool to work with .CSV files. If sudo right is given to the tool for the user, then the user can run system commands as root and possibly get a root shell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives may be present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7010,7 +7160,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies curl being utilized with the -F or --form, --upload-file, -T, -d, --data, --data-raw, -I and --head switches to upload AWS credentials or config to a remote destination. This enables uploading of binary files and so forth. To force the 'content' part to be a file, prefix the file name with an @ sign. To just get the content part from a file, prefix the file name with the symbol <. The difference between @ and < is then that @ makes a file get attached in the post as a file upload, while the < makes a text field and just get the contents for that text field from a file. This technique was utlized by the TeamTNT group to exfiltrate AWS credentials. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} known_false_positives = Filtering may be required. In addition to AWS credentials, add other important files and monitor. The inverse would be to look for _all_ -F behavior and tune from there. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7020,7 +7170,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a unix shell command that can wipe root folders of a linux host. This commandline is being abused by Awfulshred malware that wipes or corrupts files in a targeted Linux host. The shell command uses the rm command with force recursive deletion even in the root folder. This TTP can be a good indicator that a user or a process wants to wipe roots directory files in Linux host. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7030,7 +7180,7 @@ asset_type = endpoint confidence = medium explanation = This analytic is to look for dd command to overwrite file. This technique was abused by adversaries or threat actor to destroy files or data on specific system or in a large number of host within network to interrupt host avilability, services and many more. This is also used to destroy data where it make the file irrecoverable by forensic techniques through overwriting files, data or local and remote drives. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7040,7 +7190,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects the behavior of decoding base64-encoded data and passing it to a Linux shell. Additionally, it mitigates the potential damage and protects the organization's systems and data.The detection is made by searching for specific commands in the Splunk query, namely "base64 -d" and "base64 --decode", within the Endpoint.Processes data model. The analytic also includes a filter for Linux shells. The detection is important because it indicates the presence of malicious activity since Base64 encoding is commonly used to obfuscate malicious commands or payloads, and decoding it can be a step in running those commands. It suggests that an attacker is attempting to run malicious commands on a Linux system to gain unauthorized access, for data exfiltration, or perform other malicious actions. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1027", "T1059.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1027", "T1059.004"], "nist": ["DE.CM"]} known_false_positives = False positives may be present based on legitimate software being utilized. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7050,7 +7200,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious deletion of a critical folder in Linux machine using rm command. This technique was seen in industroyer2 campaign to wipe or destroy energy facilities of a targeted sector. Deletion in these list of folder is not so common since it need some elevated privileges to access some of it. We recommend to look further events specially in file access or file deletion, process commandline that may related to this technique. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7060,7 +7210,7 @@ asset_type = endpoint confidence = medium explanation = This analytic is to detect a deletion of cron job in a linux machine. This technique can be related to an attacker, threat actor or malware to disable scheduled cron jobs that might be related to security or to evade some detections. We also saw that this technique can be a good indicator for malware that is trying to wipe or delete several files on the compromised host like the acidrain malware. This anomaly detection can be a good pivot detection to look for process and user doing it why they doing. Take note that this event can be done by administrator so filtering on those possible false positive event is needed. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7070,7 +7220,7 @@ asset_type = endpoint confidence = medium explanation = This analytic is to detect a deletion of init daemon script in a linux machine. daemon script that place in /etc/init.d/ is a directory that can start and stop some daemon services in linux machines. attacker may delete or modify daemon script to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7080,7 +7230,7 @@ asset_type = endpoint confidence = medium explanation = This analytic is to detect a deletion of services in a linux machine. attacker may delete or modify services to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7090,7 +7240,7 @@ asset_type = endpoint confidence = medium explanation = This analytic is to detect a deletion of ssl certificate in a linux machine. attacker may delete or modify ssl certificate to impair some security features or act as defense evasion in compromised linux machine. This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7100,7 +7250,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic is to detect events that attempts to disable a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7110,7 +7260,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect the creation of doas.conf file in linux host platform. This configuration file can be use by doas utility tool to allow or permit standard users to perform tasks as root, the same way sudo does. This tool is developed as a minimalistic alternative to sudo application. This tool can be abused advesaries, attacker or malware to gain elevated privileges to the targeted or compromised host. On the other hand this can also be executed by administrator for a certain task that needs admin rights. In this case filter is needed. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7120,7 +7270,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does. This tool is developed as a minimalistic alternative to sudo application. This tool can be abused advesaries, attacker or malware to gain elevated privileges to the targeted or compromised host. On the other hand this can also be executed by administrator for a certain task that needs admin rights. In this case filter is needed. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7130,7 +7280,7 @@ asset_type = Endpoint confidence = medium explanation = Docker is an open source containerization platform. It helps programmers to bundle applications into containers, which are standardized executable parts that include the application source code along with the OS libraries and dependencies needed to run that code in any setting. The user can add mount the root directory into a container and edit the /etc/password file to add a super user. This requires the user to be privileged enough to run docker, i.e. being in the docker group or being root. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7143,7 +7293,7 @@ Recognizing such activity is vital for a SOC as cron job manipulations might sig To implement this analytic, logs capturing process name, parent process, and command-line executions from your endpoints must be ingested.\ Known false positives could stem from valid administrative tasks or automation processes using crontab. To reduce these, fine-tune the filter macros according to the benign activities within your environment. These adjustments ensure legitimate actions aren't mistaken for threats, allowing analysts to focus on genuine potential risks.\ how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7153,7 +7303,7 @@ asset_type = Endpoint confidence = medium explanation = EMACS is a family of text editors that are characterized by their extensibility. The manual for the most widely used variant, GNU Emacs, describes it as "the extensible, customizable, self-documenting, real-time display editor". If sudo right is given to EMACS tool for the user, then the user can run special commands as root and possibly get a root shell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives may be present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7163,7 +7313,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for suspicious file creation in kernel/driver directory in linux platform. This directory is known folder for all linux kernel module available within the system. so creation of file in this directory is a good indicator that there is a possible rootkit installation in the host machine. This technique was abuse by adversaries, malware author and red teamers to gain high privileges to their malicious code such us in kernel level. Even this event is not so common administrator or legitimate 3rd party tool may install driver or linux kernel module as part of its installation. how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can create file in this folders for automation purposes. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7173,7 +7323,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for suspicious file creation on init system directories for automatic execution of script or file upon boot up. This technique is commonly abuse by adversaries, malware author and red teamer to persist on the targeted or compromised host. This behavior can be executed or use by an administrator or network operator to add script files or binary files as part of a task or automation. filter is needed. how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1037.004", "T1037"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1037.004", "T1037"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can create file in this folders for automation purposes. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7183,7 +7333,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for suspicious file creation in /etc/profile.d directory to automatically execute scripts by shell upon boot up of a linux machine. This technique is commonly abused by adversaries, malware and red teamers as a persistence mechanism to the targeted or compromised host. This Anomaly detection is a good indicator that someone wants to run a code after boot up which can be done also by the administrator or network operator for automation purposes. how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.004", "T1546"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.004", "T1546"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can create file in profile.d folders for automation purposes. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7193,7 +7343,7 @@ asset_type = Endpoint confidence = medium explanation = Find is a command-line utility that locates files based on some user-specified criteria and either prints the pathname of each matched object or, if another action is requested, performs that action on each matched object. If sudo right is given to find utility for the user, then the user can run system commands as root and possibly get a root shell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7203,7 +7353,7 @@ asset_type = Endpoint confidence = medium explanation = GDB is the acronym for GNU Debugger. This tool helps to debug the programs written in C, C++, Ada, Fortran, etc. The console can be opened using the gdb command on terminal. If sudo right is given to GDB tool for the user, then the user can run system commands as root and possibly get a root shell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives may be present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7213,7 +7363,7 @@ asset_type = Endpoint confidence = medium explanation = RubyGems is a package manager for the Ruby programming language that provides a standard format for distributing Ruby programs and libraries (in a self-contained format called a "gem"), a tool designed to easily manage the installation of gems, and a server for distributing them. If sudo right is given to GEM utility for the user, then the user can run system commands as root and possibly get a root shell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives may be present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7223,7 +7373,7 @@ asset_type = Endpoint confidence = medium explanation = gawk command in Linux is used for pattern scanning and processing language. The awk command requires no compiling and allows the user to use variables, numeric functions, string functions, and logical operators. It is a utility that enables programmers to write tiny and effective programs in the form of statements that define text patterns that are to be searched for, in a text document and the action that is to be taken when a match is found within a line. If sudo right is given to gawk tool for the user, then the user can run system commands as root and possibly get a root shell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives may be present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7233,7 +7383,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for process execution to disable the swapping of paging devices. This technique was seen in Awfulshred malware that disables the swapping of the specified devices and files. This anomaly detection can be a good indicator that a process or a user tries to disable this Linux feature in a targeted host. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1200"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1200"], "nist": ["DE.AE"]} known_false_positives = administrator may disable swapping of devices in a linux host. Filter is needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7243,7 +7393,7 @@ asset_type = endpoint confidence = medium explanation = This analytic is to detect a high frequency of file deletion relative to process name and process id /boot/ folder. These events was seen in industroyer2 wiper malware where it tries to delete all files in a critical directory in linux directory. This detection already contains some filter that might cause false positive during our testing. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} known_false_positives = linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7253,7 +7403,7 @@ asset_type = endpoint confidence = medium explanation = This analytic is to detect a high frequency of file deletion relative to process name and process id /etc/ folder. These events was seen in acidrain wiper malware where it tries to delete all files in a non-standard directory in linux directory. This detection already contains some filter that might cause false positive during our testing. But we recommend to add more filter if needed. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} known_false_positives = linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7263,7 +7413,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for PKILL process execution for possible termination of process. This technique is being used by several Threat actors, adversaries and red teamers to terminate processes in a targeted linux machine. This Hunting detection can be a good pivot to check a possible defense evasion technique or termination of security application in a linux host or wiper like Awfulshred that corrupt all files. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} known_false_positives = network admin can terminate a process using this linux command. Filter is needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7273,7 +7423,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for processes that clear or free page cache in Linux system host. This technique was seen in Awfulshred malware wiper that tries to clear the cache using kernel system request drop_caches while wiping all files in the targeted host. This TTP detection can be a good indicator of user or process tries to clear page cache to delete tracks or might be a wiper like Awfulshred. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7283,7 +7433,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for suspicious linux processes that delete service unit configuration files. This technique was seen in several malware to delete service configuration files to corrupt a services or security product as part of its defense evasion. This TTP detection can be a good indicator of possible malware try to kill several services or a wiper like AwfulShred shell script that wipes the targeted linux host how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.AE"]} known_false_positives = network admin can delete services unit configuration file as part of normal software installation. Filter is needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7293,7 +7443,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic hunts for curl and wget being utilized in the environment. This is meant to help with identifying normal usage and potentially malicious. Utilize this query to tune other curl and wget analytics. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.AE"]} known_false_positives = False positives will be present. This query is meant to help tune other curl and wget analytics. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7303,7 +7453,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies curl with the command-line switches that are commonly used to download, output, a remote script or binary. MetaSploit Framework will combine the -sO switch with | chmod +x to enable a simple one liner to download and set the execute bit to run the file immediately. During triage, review the remote domain and file being downloaded for legitimacy. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.AE"]} known_false_positives = False positives will be present. Tune and then change type to TTP. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7313,7 +7463,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for inserting of linux kernel module using insmod utility function. This event can detect a installation of rootkit or malicious kernel module to gain elevated privileges to their malicious code and bypassed detections. This Anomaly detection is a good indicator that someone installing kernel module in a linux host either admin or adversaries. filter is needed in this scenario how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7323,7 +7473,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for possible installing a linux kernel module using modprobe utility function. This event can detect a installation of rootkit or malicious kernel module to gain elevated privileges to their malicious code and bypassed detections. This Anomaly detection is a good indicator that someone installing kernel module in a linux host either admin or adversaries. filter is needed in this scenario how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7333,7 +7483,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for suspicious commandline that modify the iptables firewall setting of a linux machine. This technique was seen in cyclopsblink malware where it modifies the firewall setting of the compromised machine to allow traffic to its tcp port that will be used to communicate with its C2 server. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} known_false_positives = administrator may do this commandline for auditing and testing purposes. In this scenario filter is needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7343,7 +7493,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the process name of Java, Apache, or Tomcat spawning a Linux shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are "sh", "ksh", "zsh", "bash", "dash", "rbash", "fish", "csh', "tcsh', "ion", "eshell". Upon triage, review parallel processes and command-line arguments to determine legitimacy. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on asset type. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7353,7 +7503,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the process kmod being utilized to list kernel modules in use. Typically, this is not seen as malicious, however it may be a precurser to the use of insmod to install a module. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1082", "T1014"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082", "T1014"], "nist": ["DE.AE"]} known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7363,7 +7513,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for suspicious process kworker commandline in a linux machine. kworker process name or thread are common names of kernel threads in linux process. This hunting detections can lead to investigate process contains process path in writable directory in linux like /home/, /var/log and /tmp/. This technique was seen in cyclopsblink malware to blend its core and other of its child process as normal kworker on the compromised machine. This detection might be a good pivot to look for other IOC related to cyclopsblink malware or attacks. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1036.004", "T1036"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.004", "T1036"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7373,7 +7523,7 @@ asset_type = Endpoint confidence = medium explanation = The Linux make command is used to build and maintain groups of programs and files from the source code. In Linux, it is one of the most frequently used commands by the developers. It assists developers to install and compile many utilities from the terminal. If sudo right is given to make utility for the user, then the user can run system commands as root and possibly get a root shell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives may be present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7383,7 +7533,7 @@ asset_type = Endpoint confidence = medium explanation = MySQL is an open-source relational database management system. Its name is a combination of "My", the name of co-founder Michael Widenius's daughter My, and "SQL", the abbreviation for Structured Query Language. If sudo right is given to mysql utility for the user, then the user can run system commands as root and possibly get a root shell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7393,7 +7543,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of Ngrok being utilized on the Linux operating system. Unfortunately, there is no original file name for Ngrok, so it may be worth an additional hunt to identify any command-line arguments. The sign of someone using Ngrok is not malicious, however, more recently it has become an adversary tool. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"]} known_false_positives = False positives may be present if Ngrok is an authorized utility. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7403,7 +7553,7 @@ asset_type = Endpoint confidence = medium explanation = Node.js is a back-end JavaScript runtime environment that is open-source, cross-platform, runs on the V8 engine, and executes JavaScript code outside of a web browser. It was created to help create scalable network applications. If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7413,7 +7563,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to look for suspicious command lines that may add entry to /etc/sudoers with NOPASSWD attribute in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain elevated privilege to the targeted or compromised host. /etc/sudoers file controls who can run what commands users can execute on the machines and can also control whether user need a password to execute particular commands. This file is composed of aliases (basically variables) and user specifications. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7423,7 +7573,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of base64 decode on Linux being utilized to deobfuscate a file. Identify the source of the file and determine if legitimate. Review parallel processes for further behavior before and after. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1027"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.AE"]} known_false_positives = False positives may be present and will require some tuning based on processes. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7433,7 +7583,7 @@ asset_type = Endpoint confidence = medium explanation = GNU Octave is a high-level programming language primarily intended for scientific computing and numerical computation. Octave helps in solving linear and nonlinear problems numerically, and for performing other numerical experiments using a language that is mostly compatible with MATLAB. If sudo right is given to the application for the user, then the user can run system commands as root and possibly get a root shell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives may be present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7443,7 +7593,7 @@ asset_type = Endpoint confidence = medium explanation = OpenVPN is a virtual private network system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications. If sudo right is given to the OpenVPN application for the user, then the user can run system commands as root and possibly get a root shell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives may be present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7453,7 +7603,7 @@ asset_type = Endpoint confidence = medium explanation = The following correlation is specific to Linux persistence and privilege escalation tactics and is tied to two analytic stories and any Linux analytic tied to persistence and privilege escalation. These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. how_to_implement = Ensure Linux anomaly and TTP analytics are enabled. TTP may be set to Notables for point detections, anomaly should not be notables but risk generators. The correlation relies on more than x amount of distict detection names generated before generating a notable. Modify the value as needed. Default value is set to 4. This value may need to be increased based on activity in your environment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} known_false_positives = False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers. providing_technologies = null @@ -7463,7 +7613,7 @@ asset_type = Endpoint confidence = medium explanation = PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1994. The PHP reference implementation is now produced by The PHP Group. If sudo right is given to php application for the user, then the user can run system commands as root and possibly get a root shell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives may be present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7473,7 +7623,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies `pkexec` spawning with no command-line arguments. A vulnerability in Polkit's pkexec component identified as CVE-2021-4034 (PwnKit) which is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} known_false_positives = False positives may be present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7483,7 +7633,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to look for suspicious process command-line that might be accessing or modifying sshd_config. This file is the ssh configuration file that might be modify by threat actors or adversaries to redirect port connection, allow user using authorized key generated during attack. This anomaly detection might catch noise from administrator auditing or modifying ssh configuration file. In this scenario filter is needed how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7493,7 +7643,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a possible attempt to dump or access the content of /etc/passwd and /etc/shadow to enable offline credential cracking. "etc/passwd" store user information within linux OS while "etc/shadow" contain the user passwords hash. Adversaries and threat actors may attempt to access this to gain persistence and/or privilege escalation. This anomaly detection can be a good indicator of possible credential dumping technique but it might catch some normal administrator automation scripts or during credential auditing. In this scenario filter is needed. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.008", "T1003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.008", "T1003"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7503,7 +7653,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a possible access or modification of /etc/sudoers file. "/etc/sudoers" file controls who can run what command as what users on what machine and can also control whether a specific user need a password for particular commands. adversaries and threat actors abuse this file to gain persistence and/or privilege escalation during attack on targeted host. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = administrator or network operator can execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7514,7 +7664,7 @@ confidence = medium explanation = The following analytic is designed to identify suspicious command lines that may append user entries to either /etc/at.allow or /etc/at.deny. These files can be exploited by malicious actors for persistence on a compromised Linux host by altering permissions for scheduled tasks using the at command.\ In this context, an attacker can create a user or add an existing user to these configuration files to execute their malicious code through scheduled tasks. The detection of such anomalous behavior can serve as an effective indicator warranting further investigation to validate if the activity is indeed malicious or a false positive. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7524,7 +7674,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for suspicious command-lines that can be possibly used to modify user profile files to automatically execute scripts/executables by shell upon reboot of the machine. This technique is commonly abused by adversaries, malware and red teamers as persistence mechanism to the targeted or compromised host. This Anomaly detection is a good indicator that someone wants to run code after reboot which can be done also by the administrator or network operator for automation purposes. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.004", "T1546"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.004", "T1546"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7536,7 +7686,7 @@ explanation = The following analytic is designed to detect potential tampering w The analytic operates by monitoring logs for specific process names, parent processes, and command-line executions from your endpoints. It specifically checks for any 'echo' command which modifies files in directories commonly associated with cron jobs such as '/etc/cron*', '/var/spool/cron/', and '/etc/anacrontab'. If such activity is detected, an alert is triggered.\ This behavior is worth identifying for a SOC because malicious cron jobs can lead to system compromises and unauthorized data access, impacting business operations and data integrity. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} known_false_positives = False positives may arise from legitimate actions by administrators or network operators who may use these commands for automation purposes. Therefore, it's recommended to adjust filter macros to eliminate such false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7549,7 +7699,7 @@ In case of a true positive, the impact could be severe. An attacker with escalat To implement this analytic, ensure ingestion of logs tracking process name, parent process, and command-line executions from your endpoints. Utilize the Add-on for Linux Sysmon from Splunkbase if you're using Sysmon.\ Known false positives include legitimate administrative tasks, as these commands may also be used for benign purposes. Careful tuning and filtering based on known benign activity in your environment can minimize these instances. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7559,7 +7709,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to look for possible ssh key file creation on ~/.ssh/ folder. This technique is commonly abused by threat actors and adversaries to gain persistence and privilege escalation to the targeted host. by creating ssh private and public key and passing the public key to the attacker server. threat actor can access remotely the machine using openssh daemon service. how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can create file in ~/.ssh folders for automation purposes. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7569,7 +7719,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a suspicious command that may hijack a library function in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain privileges and persist on the machine. This detection pertains to loading a dll to hijack or hook a library function of specific program using LD_PRELOAD command. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1574.006", "T1574"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.006", "T1574"], "nist": ["DE.CM"]} known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7579,7 +7729,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies curl being utilized with a proxy based on command-line arguments - -x, socks, --preproxy and --proxy. This behavior is built into the MetaSploit Framework as a auxiliary module. What does socks buy an adversary? SOCKS4a extends the SOCKS4 protocol to allow a client to specify a destination domain name rather than an IP address. The SOCKS5 protocol is defined in RFC 1928. It is an incompatible extension of the SOCKS4 protocol; it offers more choices for authentication and adds support for IPv6 and UDP, the latter of which can be used for DNS lookups. The protocols, and a proxy itself, allow an adversary to evade controls in place monitoring traffic, making it harder for the defender to identify and track activity. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1090", "T1095"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1090", "T1095"], "nist": ["DE.CM"]} known_false_positives = False positives may be present based on proxy usage internally. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7589,7 +7739,7 @@ asset_type = Endpoint confidence = medium explanation = In computing, Puppet is a software configuration management tool which includes its own declarative language to describe system configuration. It is a model-driven solution that requires limited programming knowledge to use. If sudo right is given to the tool for the user, then the user can run system commands as root and possibly get a root shell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives may be present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7599,7 +7749,7 @@ asset_type = Endpoint confidence = medium explanation = RPM Package Manager is a free and open-source package management system. The name RPM refers to the .rpm file format and the package manager program itself. RPM was intended primarily for Linux distributions; the file format is the baseline package format of the Linux Standard Base. If sudo right is given to rpm utility for the user, then the user can run system commands as root and possibly get a root shell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7609,7 +7759,7 @@ asset_type = Endpoint confidence = medium explanation = Ruby is one of the most used and easy to use programming languages. Ruby is an open-source, object-oriented interpreter that can be installed on a Linux system. If sudo right is given to ruby application for the user, then the user can run system commands as root and possibly get a root shell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives are present based on automated tooling or system administrative usage. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7620,7 +7770,7 @@ confidence = medium explanation = The following analytic is designed to detect suspicious file creation within the systemd timer directory on Linux platforms. Systemd is a system and service manager for Linux, similar to the combination of wininit.exe and services.exe on Windows. This process initializes a Linux system and starts defined services in unit files. Malicious actors, such as adversaries, malware, or red teamers, can exploit this feature by embedding a systemd service file for persistence on the targeted or compromised host.\ The analytic works by monitoring logs with file name, file path, and process GUID data from your endpoints. If a .service file is created in certain systemd directories, the analytic triggers an alert. This behavior is significant for a Security Operations Center (SOC) as it may indicate a persistent threat within the network, with a potential impact of system compromise or data exfiltration. how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} known_false_positives = False positives may arise when administrators or network operators create files in systemd directories for legitimate automation tasks. Therefore, it's important to adjust filter macros to account for valid activities. To implement this search successfully, it's crucial to ingest appropriate logs, preferably using the Linux Sysmon Add-on from Splunkbase for those using Sysmon. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7632,7 +7782,7 @@ explanation = The following analytic detects the restarting or re-enabling of se It's important to be aware that this analytic may generate false positives as administrators or network operators may use the same command-line for legitimate automation purposes. Filter macros should be updated accordingly to minimize false positives.\ Identifying restarted or re-enabled services is valuable for a SOC as it can indicate potential malicious activities attempting to maintain persistence or execute unauthorized actions on Linux systems. By detecting and investigating these events, security analysts can respond promptly to mitigate risks and prevent further compromise. The impact of a true positive can range from unauthorized access to data destruction or other damaging outcomes. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7642,7 +7792,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects the creation or enabling of services in Linux platforms, specifically using the systemctl or service tool application. This behavior is worth identifying as adversaries may create or modify services to execute malicious payloads as part of persistence. Legitimate services created by administrators for automation purposes may also trigger this analytic, so it is important to update the filter macros to remove false positives. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the process name, parent process, and command-line executions from your endpoints. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7652,7 +7802,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for suspicious chmod utility execution to enable SUID bit. This allows a user to temporarily gain root access, usually in order to run a program. For example, only the root account is allowed to change the password information contained in the password database; If the SUID bit appears as an s, the file's owner also has execute permission to the file; if it appears as an S, the file's owner does not have execute permission. The second specialty permission is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily change group membership, usually to execute a program. The SGID bit is set if an s or an S appears in the group section of permissions. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7662,7 +7812,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for suspicious setcap utility execution to enable SUID bit. This allows a user to temporarily gain root access, usually in order to run a program. For example, only the root account is allowed to change the password information contained in the password database; If the SUID bit appears as an s, the file's owner also has execute permission to the file; if it appears as an S, the file's owner does not have execute permission. The second specialty permission is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily change group membership, usually to execute a program. The SGID bit is set if an s or an S appears in the group section of permissions. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7672,7 +7822,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a shred process to overwrite a files in a linux machine. Shred Linux application is designed to overwrite file to hide its contents or make the deleted file un-recoverable. Weve seen this technique in industroyer2 malware that tries to wipe energy facilities of targeted sector as part of its destructive attack. It might be some normal user may use this command for valid purposes but it is recommended to check what files, disk or folder it tries to shred that might be good pivot for incident response in this type of destructive malware. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7682,7 +7832,7 @@ asset_type = Endpoint confidence = medium explanation = sqlite3 is a terminal-based front-end to the SQLite library that can evaluate queries interactively and display the results in multiple formats. sqlite3 can also be used within shell scripts and other applications to provide batch processing features. If sudo right is given to this application for the user, then the user can run system commands as root and possibly get a root shell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = False positives may be present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7692,7 +7842,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies based on process execution the modification of SSH Authorized Keys. Adversaries perform this behavior to persist on endpoints. During triage, review parallel processes and capture any additional file modifications for review. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004"], "nist": ["DE.AE"]} known_false_positives = Filtering will be required as system administrators will add and remove. One way to filter query is to add "echo". providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7702,7 +7852,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies SSH being utilized to move laterally and execute a script or file on the remote host. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.004"], "nist": ["DE.CM"]} known_false_positives = This is not a common command to be executed. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7712,7 +7862,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for suspicious commandline that redirect the stdout or possible stderror to dev/null file. This technique was seen in cyclopsblink malware where it redirect the possible output or error while modify the iptables firewall setting of the compromised machine to hide its action from the user. This Anomaly detection is a good pivot to look further why process or user use this un common approach. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7722,7 +7872,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic is to detect events that attempt to stop or clear a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7732,7 +7882,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect the execution of sudo or su command in linux operating system. The "sudo" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7742,7 +7892,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to looks for file creation of sudoers.tmp file cause by editing /etc/sudoers using visudo or editor in linux platform. This technique may abuse by adversaries, malware author and red teamers to gain elevated privilege to targeted or compromised host. /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what). how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = administrator or network operator can execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7752,7 +7902,7 @@ asset_type = endpoint confidence = medium explanation = This analytic is to look for possible enumeration of local network configuration. This technique is commonly used as part of recon of adversaries or threat actor to know some network information for its next or further attack. This anomaly detections may capture normal event made by administrator during auditing or testing network connection of specific host or network to network. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1016"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7762,7 +7912,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to look for possible execution of SysReq hack to reboot the Linux system host. This technique was seen in Awfulshred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can trigger reboot by piping out 'b' to /proc/sysrq-trigger after enabling all the functions of sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not a common way to reboot a system. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1529"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7772,7 +7922,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to look for possible execution of SysReq hack to enable all functions of kernel system requests of the Linux system host. This technique was seen in AwfulShred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can be triggered by piping out bitmask '1' to /proc/sys/kernel/sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not so common shell commandline. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.004", "T1059"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004", "T1059"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7782,7 +7932,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to looks for suspicious commandline that add entry to /etc/sudoers by using visudo utility tool in linux platform. This technique may abuse by adversaries, malware author and red teamers to gain elevated privilege to targeted or compromised host. /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what). how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7792,7 +7942,7 @@ asset_type = Endpoint confidence = medium explanation = The following correlation identifies a distinct amount of analytics associated with the Living Off The Land analytic story that identify potentially suspicious behavior. how_to_implement = To implement this correlation search a user needs to enable all detections in the Living Off The Land Analytic Story and confirm it is generating risk events. A simple search `index=risk analyticstories="Living Off The Land"` should contain events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} known_false_positives = There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation. Modify the static value distinct_detection_name to a higher value. It is also required to tune analytics that are also tagged to ensure volume is never too much. providing_technologies = null @@ -7802,7 +7952,7 @@ asset_type = Endpoint confidence = medium explanation = DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, registering or loading dynwrapx.dll to a host is highly suspicious. In most instances when it is used maliciously, the best way to triage is to review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This detection will return and identify the processes that invoke vbs/wscript/cscript. how_to_implement = To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055", "T1055.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055", "T1055.001"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default). providing_technologies = null @@ -7812,7 +7962,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for local users. The two arguments `user` and 'users', return a list of all local users. Red Teams and adversaries alike use net.exe to enumerate users for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7822,7 +7972,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for local users. The argument `useraccount` is used to leverage WMI to return a list of all local users. Red Teams and adversaries alike use net.exe to enumerate users for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7832,7 +7982,7 @@ asset_type = endpoint confidence = medium explanation = This correlation find exploitation of Log4Shell CVE-2021-44228 against systems using detections from Splunk Security Content Analytic Story. It does this by calculating the distinct count of MITRE ATT&CK tactics from Log4Shell detections fired. If the count is larger than 2 or more distinct MITRE ATT&CK tactics we assume high problability of exploitation. The Analytic story breaks down into 3 major phases of a Log4Shell exploitation, specifically> Initial Payload delivery eg. `${jndi:ldap://PAYLOAD_INJECTED}` Call back to malicious LDAP server eg. Exploit.class Post Exploitation Activity/Lateral Movement using Powershell or similar T1562.001 Each of these phases fall into different MITRE ATT&CK Tactics (Initial Access, Execution, Command And Control), by looking into 2 or more phases showing up in detections triggerd is how this correlation search finds exploitation. If we get a notable from this correlation search the best way to triage it is by investigating the affected systems against Log4Shell exploitation using Splunk SOAR playbooks. how_to_implement = To implement this correlation search a user needs to enable all detections in the Log4Shell Analytic Story and confirm it is generation risk events. A simple search `index=risk analyticstories="Log4Shell CVE-2021-44228"` should contain events. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} known_false_positives = There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation. providing_technologies = null @@ -7842,7 +7992,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious modification of registry entry to persist and gain privilege escalation upon booting up of compromised host. This technique was seen in several APT and malware where it modify UserInitMprLogonScript registry entry to its malicious payload to be executed upon boot up of the machine. how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1037", "T1037.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1037", "T1037.001"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7852,7 +8002,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies LOLBAS with network traffic. When adversaries abuse LOLBAS they are often used to download malicious code or executables. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like downloading malicious code. Looking for these process can help defenders identify lateral movement, command-and-control, or exfiltration activies. how_to_implement = To successfully implement this detection you must ingest events into the Network traffic data model that contain the source, destination, and communicating process in the app feild. Relevant processes must also be ingested in the Endpoint data model with matching process_id feild. Sysmon EID1 and EID3 are good examples of this type this data type. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1105", "T1567", "T1218"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control", "Actions on Objectives", "Exploitation"], "mitre_attack": ["T1105", "T1567", "T1218"], "nist": ["DE.CM"]} known_false_positives = Legitmate usage of internal automation or scripting, espically powershell.exe internal to internal or logon scripts. It may be necessary to omit internal IP ranges if extremely noisy. ie NOT dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","170.98.0.0/16","0:0:0:0:0:0:0:1") providing_technologies = null @@ -7872,7 +8022,7 @@ asset_type = Endpoint confidence = medium explanation = Detect multiple executions of Living off the Land (LOLbin) binaries in a short period of time. how_to_implement = This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.004", "T1059"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004", "T1059"], "nist": ["DE.CM"]} known_false_positives = None identified. providing_technologies = null @@ -7882,7 +8032,7 @@ asset_type = Endpoint confidence = medium explanation = Detect usage of plutil to modify plist files. Adversaries can modiy plist files to executed binaries or add command line arguments. Plist files in auto-run locations are executed upon user logon or system startup. how_to_implement = This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1647"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1647"], "nist": ["DE.CM"]} known_false_positives = Administrators using plutil to change plist files. providing_technologies = null @@ -7892,7 +8042,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect known mailsniper.ps1 functions executed in a machine. This technique was seen in some attacker to harvest some sensitive e-mail in a compromised exchange server. how_to_implement = To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1114", "T1114.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.001"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Microsoft Windows"] @@ -7902,7 +8052,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process modifying the registry with a known malicious CLSID under InProcServer32. Most COM classes are registered with the operating system and are identified by a GUID that represents the Class Identifier (CLSID) within the registry (usually under HKLM\\Software\\Classes\\CLSID or HKCU\\Software\\Classes\\CLSID). Behind the implementation of a COM class is the server (some binary) that is referenced within registry keys under the CLSID. The LocalServer32 key represents a path to an executable (exe) implementation, and the InprocServer32 key represents a path to a dynamic link library (DLL) implementation (Bohops). During triage, review parallel processes for suspicious activity. Pivot on the process GUID to see the full timeline of events. Analyze the value and look for file modifications. Being this is looking for inprocserver32, a DLL found in the value will most likely be loaded by a parallel process. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.010", "T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.010", "T1112"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited, filter as needed. In our test case, Remcos used regsvr32.exe to modify the registry. It may be required, dependent upon the EDR tool producing registry events, to remove (Default) from the command-line. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7912,7 +8062,7 @@ asset_type = Endpoint confidence = medium explanation = This detection is to identify the abuse the Windows SC.exe to execute malicious commands or payloads via PowerShell. how_to_implement = To successfully implement this search, you need to be ingesting Windows System logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.CM"]} known_false_positives = Creating a hidden powershell service is rare and could key off of those instances. providing_technologies = null @@ -7925,7 +8075,7 @@ The analytic identifies all variations of EncodedCommand, as PowerShell allows t During triage, review parallel events to determine legitimacy. Tune as needed based on admin scripts in use. \ Alternatively, may use regex per matching here https://regexr.com/662ov. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1027"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.AE"]} known_false_positives = System administrators may use this option, but it's not common. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7935,7 +8085,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for PowerShell processes started with parameters used to bypass the local execution policy for scripts. These parameters are often observed in attacks leveraging PowerShell scripts as they override the default PowerShell execution policy. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} known_false_positives = There may be legitimate reasons to bypass the PowerShell execution policy. The PowerShell script being run with this parameter should be validated to ensure that it is legitimate. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7945,7 +8095,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for PowerShell processes launched with arguments that have characters indicative of obfuscation on the command-line. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} known_false_positives = These characters might be legitimately on the command-line, but it is not common. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7955,7 +8105,7 @@ asset_type = endpoint confidence = medium explanation = The following analytic looks for the use of Mimikatz command line parameters leveraged to execute pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Mimikatz and modify the command line parameters. This would effectively bypass this analytic. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1550", "T1550.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003"], "nist": ["DE.CM"]} known_false_positives = Although highly unlikely, legitimate applications may use the same command line parameters as Mimikatz. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7965,7 +8115,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies `mmc.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the DCOM protocol and the MMC20 COM object, the executed command is spawned as a child processs of `mmc.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of mmc.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.003", "T1218.014"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003", "T1218.014"], "nist": ["DE.CM"]} known_false_positives = Legitimate applications may trigger this behavior, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7975,7 +8125,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies suspicious modification of registry to deface or change the wallpaper of a compromised machines as part of its payload. This technique was commonly seen in ransomware like REVIL where it create a bitmap file contain a note that the machine was compromised and make it as a wallpaper. how_to_implement = To successfully implement this search, you need to be ingesting logs with the Image, TargetObject registry key, registry Details from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1491"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1491"], "nist": ["DE.CM"]} known_false_positives = 3rd party tool may used to changed the wallpaper of the machine providing_technologies = null @@ -7985,7 +8135,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies suspicious modification of ACL permission to a files or folder to make it available to everyone. This technique may be used by the adversary to evade ACLs or protected files access. This changes is commonly configured by the file or directory owner with appropriate permission. This behavior is a good indicator if this command seen on a machine utilized by an account with no permission to do so. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1222"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.AE"]} known_false_positives = administrators may use this command. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7995,7 +8145,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for registry activity associated with modifications to the registry key `HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors`. In this scenario, an attacker can load an arbitrary .dll into the print-monitor registry by giving the full path name to the after.dll. The system will execute the .dll with elevated (SYSTEM) permissions and will persist after reboot. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.010", "T1547"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.010", "T1547"], "nist": ["DE.CM"]} known_false_positives = You will encounter noise from legitimate print-monitor registry entries. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8005,7 +8155,7 @@ asset_type = Endpoint confidence = medium explanation = The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. The analytic is limited to process name MSExchangeMailboxReplication.exe, which typically does not write .aspx files to disk. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8015,7 +8165,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading ldap module to process ldap query. This behavior was seen in FIN7 implant where it uses javascript to execute ldap query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious ldap query or ldap related events to the host that may give you good information regarding ldap or AD information processing or might be a attacker. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.AE"]} known_false_positives = automation scripting language may used by network operator to do ldap query. providing_technologies = null @@ -8025,7 +8175,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading wmi module to process wmi query. This behavior was seen in FIN7 implant where it uses javascript to execute wmi query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious wmi query or wmi related events to the host that may give you good information regarding process that are commonly using wmi query or modules or might be an attacker using this technique. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.AE"]} known_false_positives = automation scripting language may used by network operator to do ldap query. providing_technologies = null @@ -8035,7 +8185,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a suspicious child process of MSBuild spawned by Windows Script Host - cscript or wscript. This behavior or event are commonly seen and used by malware or adversaries to execute malicious msbuild process using malicious script in the compromised host. During triage, review parallel processes and identify any file modifications. MSBuild may load a script from the same path without having command-line arguments. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1127.001", "T1127"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127.001", "T1127"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited as developers do not spawn MSBuild via a WSH. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8045,7 +8195,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious mshta.exe process that spawn rundll32 or regsvr32 child process. This technique was seen in several malware nowadays like trickbot to load its initial .dll stage loader to execute and download the the actual trickbot payload. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} known_false_positives = limitted. this anomaly behavior is not commonly seen in clean host. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8055,7 +8205,7 @@ asset_type = Endpoint confidence = medium explanation = The following detection identifies the module load of mshtml.dll into an Office product. This behavior has been related to CVE-2021-40444, whereas the malicious document will load ActiveX, which activates the MSHTML component. The vulnerability resides in the MSHTML component. During triage, identify parallel processes and capture any file modifications for analysis. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process names and image loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} known_false_positives = Limited false positives will be present, however, tune as necessary. providing_technologies = null @@ -8070,7 +8220,7 @@ explanation = The following hunting analytic identifies `msi.dll` being loaded b 1. Racing to introduce a junction and a symlink to trick msiexec.exe to modify the attacker specified file. \ In addition, `msi.dll` has been abused in DLL side-loading attacks by being loaded by non-system binaries. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.AE"]} known_false_positives = It is possible some Administrative utilities will load msi.dll outside of normal system paths, filter as needed. providing_technologies = null @@ -8080,7 +8230,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious creation of msmpeng.exe or mpsvc.dll in non default windows defender folder. This technique was seen with revil ransomware in Kaseya Supply chain. The approach is to drop an old version of msmpeng.exe to load the actual payload name as mspvc.dll which will load the revil ransomware to the compromise machine how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.CM"]} known_false_positives = quite minimal false positive expected. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8090,7 +8240,7 @@ asset_type = Endpoint confidence = medium explanation = The following hunting analytic will identify the use of localgroup discovery using `net localgroup`. During triage, review parallel processes and identify any further suspicious behavior. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} known_false_positives = False positives may be present. Tune as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8100,7 +8250,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect modification of registry to bypass UAC windows feature. This technique is to add a payload dll path on .NET COR file path that will be loaded by mmc.exe as soon it was executed. This detection rely on monitoring the registry key and values in the detection area. It may happened that windows update some dll related to mmc.exe and add dll path in this registry. In this case filtering is needed. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} known_false_positives = limited false positive. It may trigger by some windows update that will modify this registry. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8110,7 +8260,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `arp.exe` utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use arp.exe for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8120,7 +8270,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `net.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use net.exe for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8130,7 +8280,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `netstat.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use netstat.exe for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8140,7 +8290,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic look for a spawned process of route.exe windows application. Adversaries and red teams alike abuse this application the recon or do a network discovery on a target host. but one possible false positive might be an automated tool used by a system administator or a powershell script in amazon ec2 config services. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1016", "T1016.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016", "T1016.001"], "nist": ["DE.AE"]} known_false_positives = A network operator or systems administrator may utilize an automated host discovery application that may generate false positives or an amazon ec2 script that uses this application. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8150,17 +8300,27 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies object access on Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The IcedID malware family also implements this behavior to try to infect other machines in the infected network. how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5140 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1135"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1135"], "nist": ["DE.AE"]} known_false_positives = System Administrators may use looks like net.exe or "dir commandline" for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list. providing_technologies = ["Microsoft Windows"] +[savedsearch://ESCU - Network Traffic to Active Directory Web Services Protocol - Rule] +type = detection +asset_type = Network +confidence = medium +explanation = The following analytic identifies network traffic to Active Directory Web Services Protocol. This protocol is used to manage Active Directory. The analytic is meant to be tuned and filtered to the specific environment. It will assist defenders in identifying suspicious processes accessing port 9389. +how_to_implement = The detection is based on data that originates from network traffic logs. The logs must contain the source and destination IP addresses, the application name, and the destination port. The logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network traffic data source. The logs must also be mapped to the `Network_Traffic` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.AE"]} +known_false_positives = False positives should be limited as the destination port is specific to Active Directory Web Services Protocol, however we recommend utilizing this analytic to hunt for non-standard processes querying the ADWS port. Filter by App or dest_ip to AD servers and remove known proceses querying ADWS. +providing_technologies = null + [savedsearch://ESCU - Nishang PowershellTCPOneLine - Rule] type = detection asset_type = Endpoint confidence = medium explanation = This query detects the Nishang Invoke-PowerShellTCPOneLine utility that spawns a call back to a remote Command And Control server. This is a powershell oneliner. In addition, this will capture on the command-line additional utilities used by Nishang. Triage the endpoint and identify any parallel processes that look suspicious. Review the reputation of the remote IP or domain contacted by the powershell process. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} known_false_positives = Limited false positives may be present. Filter as needed based on initial analysis. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8170,7 +8330,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for the execution of `nltest.exe` with command-line arguments utilized to query for Domain Trust information. Two arguments `/domain trusts`, returns a list of trusted domains, and `/all_trusts`, returns all trusted domains. Red Teams and adversaries alike use NLTest.exe to enumerate the current domain to assist with further understanding where to pivot next. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} known_false_positives = Administrators may use nltest for troubleshooting purposes, otherwise, rarely used. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8180,7 +8340,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect an anomaly event of a non-chrome process accessing the files in chrome user default folder. This folder contains all the sqlite database of the chrome browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) need to be enabled to tthe firefox profile directory to be eable to use this. Since you monitoring this access to the folder, we observed noise that needs to be filter out and hence added sqlite db browser and explorer .exe to make this detection more stable. how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1555", "T1555.003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555", "T1555.003"], "nist": ["DE.AE"]} known_false_positives = other browser not listed related to firefox may catch by this rule. providing_technologies = ["Microsoft Windows"] @@ -8190,7 +8350,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect an anomaly event of a non-firefox process accessing the files in the profile folder. This folder contains all the sqlite database of the firefox browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) needs to be enabled to the firefox profile directory to use this. Since this is monitoring the access to the folder, we have obsevered noise and hence added `sqlite db browser` and `explorer.exe` to make this detection more stable. how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1555", "T1555.003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555", "T1555.003"], "nist": ["DE.AE"]} known_false_positives = other browser not listed related to firefox may catch by this rule. providing_technologies = ["Microsoft Windows"] @@ -8200,7 +8360,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies behavior related to default SliverC2 framework where it will inject into Notepad.exe and spawn Notepad.exe with no command line arguments. In testing, this is a common procedure for SliverC2 usage, however may be modified or changed. From Microsoft, "The Sideload, SpawnDll, and Execute-Assembly commands spawn and inject into notepad.exe by default. The following query finds process creation events where the same process creates and injects into notepad.exe within 10 seconds." how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} known_false_positives = False positives may be present and filtering may need to occur based on organization endpoint behavior. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8212,7 +8372,7 @@ explanation = Monitor for signs that Ntdsutil is being used to Extract Active Di ntdsutil "ac i ntds" "ifm" "create full C:\Temp" q q \ This technique uses "Install from Media" (IFM), which will extract a copy of the Active Directory database. A successful export of the Active Directory database will yield a file modification named ntds.dit to the destination. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} known_false_positives = Highly possible Server Administrators will troubleshoot with ntdsutil.exe, generating false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8222,7 +8382,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious MS office application that drops or creates executables or scripts in a Windows Operating System. This behavior is commonly seen in spear phishing office attachment where it drop malicious files or script to compromised the host. It might be some normal macro may drop script or tools as part of automation but still this behavior is reallly suspicious and not commonly seen in normal office application how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} known_false_positives = office macro for automation may do this behavior providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8232,7 +8392,7 @@ asset_type = Endpoint confidence = medium explanation = this detection was designed to identifies suspicious spawned process of known MS office application due to macro or malicious code. this technique can be seen in so many malware like IcedID that used MS office as its weapon or attack vector to initially infect the machines. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8242,7 +8402,7 @@ asset_type = Endpoint confidence = medium explanation = This detection was designed to identify suspicious spawned processes of known MS office applications due to macro or malicious code. this technique can be seen in so many malware like trickbot that used MS office as its weapon or attack vector to initially infect the machines. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8252,7 +8412,7 @@ asset_type = Endpoint confidence = medium explanation = this search detects a potential malicious office document that create schedule task entry through macro VBA api or through loading taskschd.dll. This technique was seen in so many malicious macro malware that create persistence , beaconing using task schedule malware entry The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not. schtasks.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64`. The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it's possible a scheduled task is being registered within that process context in memory. Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source.' how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -8262,7 +8422,7 @@ asset_type = Endpoint confidence = medium explanation = this detection was designed to identifies suspicious office documents that using macro code. Macro code is known to be one of the prevalent weaponization or attack vector of threat actor. This malicious macro code is embed to a office document as an attachment that may execute malicious payload, download malware payload or other malware component. It is really good practice to disable macro by default to avoid automatically execute macro code while opening or closing a office document files. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} known_false_positives = Normal Office Document macro use for automation providing_technologies = null @@ -8272,7 +8432,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect potential malicious office document executing lolbin child process to download payload or other malware. Since most of the attacker abused the capability of office document to execute living on land application to blend it to the normal noise in the infected machine to cover its track. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} known_false_positives = Default browser not in the filter list. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8282,7 +8442,7 @@ asset_type = Endpoint confidence = medium explanation = this search is to detect a suspicious office product process that spawn cmd child process. This is commonly seen in a ms office product having macro to execute shell command to download or execute malicious lolbin relative to its malicious code. This is seen in trickbot spear phishing doc where it execute shell cmd to run mshta payload. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} known_false_positives = IT or network admin may create an document automation that will run shell script. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8292,7 +8452,7 @@ asset_type = Endpoint confidence = medium explanation = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `bitsadmin.exe`. In malicious instances, the command-line of `bitsadmin.exe` will contain a URL to a remote destination or similar command-line arguments as transfer, Download, priority, Foreground. In addition, Threat Research has released a detections identifying suspicious use of `bitsadmin.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `bitsadmin.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} known_false_positives = No false positives known. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8302,7 +8462,7 @@ asset_type = Endpoint confidence = medium explanation = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `certutil.exe`. In malicious instances, the command-line of `certutil.exe` will contain a URL to a remote destination. In addition, Threat Research has released a detections identifying suspicious use of `certutil.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `certutil.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} known_false_positives = No false positives known. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8312,7 +8472,7 @@ asset_type = Endpoint confidence = medium explanation = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `mshta.exe`. In malicious instances, the command-line of `mshta.exe` will contain the `hta` file locally, or a URL to the remote destination. In addition, Threat Research has released a detections identifying suspicious use of `mshta.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `mshta.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} known_false_positives = No false positives known. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8322,7 +8482,7 @@ asset_type = Endpoint confidence = medium explanation = The following detection identifies the latest behavior utilized by IcedID malware family. This detection identifies any Windows Office Product spawning `rundll32.exe` without a `.dll` file extension. In malicious instances, the command-line of `rundll32.exe` will look like `rundll32 ..\oepddl.igk2,DllRegisterServer`. In addition, Threat Research has released a detection identifying the use of `DllRegisterServer` on the command-line of `rundll32.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze the `DLL` that was dropped to disk. The Office Product will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited, but if any are present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8332,7 +8492,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic will identify a Windows Office Product spawning WScript.exe or CScript.exe. Tuning may be required based on legitimate application usage that may spawn scripts from an Office product. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} known_false_positives = False positives may be present based on macro based approved documents in the organization. Filtering may be needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8342,7 +8502,7 @@ asset_type = Endpoint confidence = medium explanation = The following detection identifies the latest behavior utilized by Ursnif malware family. This detection identifies any Windows Office Product spawning `wmic.exe`. In malicious instances, the command-line of `wmic.exe` will contain `wmic process call create`. In addition, Threat Research has released a detection identifying the use of `wmic process call create` on the command-line of `wmic.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `wmic.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} known_false_positives = No false positives known. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8352,7 +8512,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies behavior related to CVE-2021-40444. Whereas the malicious document will load ActiveX and download the remote payload (.inf, .cab). During triage, review parallel processes and further activity on endpoint to identify additional patterns. Retrieve the file modifications and analyze further. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} known_false_positives = The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8362,7 +8522,7 @@ asset_type = Endpoint confidence = medium explanation = The following detection identifies control.exe spawning from an office product. This detection identifies any Windows Office Product spawning `control.exe`. In malicious instances, the command-line of `control.exe` will contain a file path to a .cpl or .inf, related to CVE-2021-40444. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. review parallel and child processes to identify further suspicious behavior how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} known_false_positives = Limited false positives should be present. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8372,7 +8532,7 @@ asset_type = Endpoint confidence = medium explanation = A required step while exploiting the CVE-2021-44228-Log4j vulnerability is that the victim server will perform outbound connections to attacker-controlled infrastructure. This is required as part of the JNDI lookup as well as for retrieving the second stage .class payload. The following analytic identifies the Java process reaching out to default ports used by the LDAP and RMI protocols. This behavior could represent successfull exploitation. Note that adversaries can easily decide to use arbitrary ports for these protocols and potentially bypass this detection. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = Legitimate Java applications may use perform outbound connections to these ports. Filter as needed providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8382,7 +8542,7 @@ asset_type = Endpoint confidence = medium explanation = Microsoft Windows contains accessibility features that can be launched with a key combination before a user has logged in. An adversary can modify or replace these programs so they can get a command prompt or backdoor without logging in to the system. This search looks for modifications to these binaries. how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1546", "T1546.008"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546", "T1546.008"], "nist": ["DE.CM"]} known_false_positives = Microsoft may provide updates to these binaries. Verify that these changes do not correspond with your normal software update cycle. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8392,7 +8552,7 @@ asset_type = Web Server confidence = medium explanation = The following hunting analytic is designed to monitor and detect potential exploitation attempts targeting a PaperCut NG server by analyzing its debug log data. By focusing on public IP addresses accessing the PaperCut NG instance, this analytic aims to identify unauthorized or suspicious access attempts. Furthermore, it searches for specific URIs that have been discovered in the proof of concept code, which are associated with known exploits or vulnerabilities. The analytic is focused on the user admin. Regex is used mainly because the log is not parsed by Splunk and there is no TA for this debug log. how_to_implement = Debug logs must be enabled and shipped to Splunk in order to properly identify behavior with this analytic. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} known_false_positives = False positives may be present, as this is based on the admin user accessing the Papercut NG instance from a public IP address. Filter as needed. providing_technologies = null @@ -8402,7 +8562,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `net.exe` or `net1.exe` with command line arguments used to obtain the domain password policy. Red Teams and adversaries may leverage `net.exe` for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8412,7 +8572,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a modification of file or directory permission using takeown.exe windows app. This technique was seen in some ransomware that take the ownership of a folder or files to encrypt or delete it. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} known_false_positives = takeown.exe is a normal windows application that may used by network operator. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8425,7 +8585,7 @@ To enable 5145 events via Group Policy - Computer Configuration->Polices->Window It is possible this is not enabled by default and may need to be reviewed and enabled. \ During triage, review parallel security events to identify further suspicious activity. how_to_implement = Windows Event Code 5145 is required to utilize this analytic and it may not be enabled in most environments. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1187"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1187"], "nist": ["DE.CM"]} known_false_positives = False positives have been limited when the Anonymous Logon is used for Account Name. providing_technologies = ["Microsoft Windows"] @@ -8435,7 +8595,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifes Event Code 4768, A `Kerberos authentication ticket (TGT) was requested`, successfull occurs. This behavior has been identified to assist with detecting PetitPotam, CVE-2021-36942. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to Domain Controllers for your environment. how_to_implement = The following analytic requires Event Code 4768. Ensure that it is logging no Domain Controllers and appearing in Splunk. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003"], "nist": ["DE.CM"]} known_false_positives = False positives are possible if the environment is using certificates for authentication. providing_technologies = ["Microsoft Windows"] @@ -8445,7 +8605,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic will identify the possible execution of ping sleep batch commands. This technique was seen in several malware samples and is used to trigger sleep times without explicitly calling sleep functions or commandlets. The goal is to delay the execution of malicious code and bypass detection or sandbox analysis. This detection can be a good indicator of a process delaying its execution for malicious purposes. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1497", "T1497.003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1497", "T1497.003"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator may execute this command. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8455,7 +8615,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic will detect if a suspicious process contains a commandline parameter related to a web browser credential dumper. This technique is used by Remcos RAT malware which uses the Nirsoft webbrowserpassview.exe application to dump web browser credentials. Remcos uses the "/stext" command line to dump the credentials in text format. This Hunting query is a good indicator of hosts suffering from possible Remcos RAT infection. Since the hunting query is based on the parameter command and the possible path where it will save the text credential information, it may catch normal tools that are using the same command and behavior. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1555.003", "T1555"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555.003", "T1555"], "nist": ["DE.AE"]} known_false_positives = False positive is quite limited. Filter is needed providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8466,7 +8626,7 @@ confidence = medium explanation = The following analytic is designed to identify possible lateral movement attacks that involve the spawning of a PowerShell process as a child or grandchild process of commonly abused processes. These processes include services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe.\ Such behavior is indicative of legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management, and the DCOM protocol being abused to start a process on a remote endpoint. This behavior is often seen during lateral movement techniques where adversaries or red teams abuse these services for lateral movement and remote code execution. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.003", "T1021.006", "T1047", "T1053.005", "T1543.003", "T1059.001", "T1218.014"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.003", "T1021.006", "T1047", "T1053.005", "T1543.003", "T1059.001", "T1218.014"], "nist": ["DE.CM"]} known_false_positives = Legitimate applications may spawn PowerShell as a child process of the the identified processes. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8476,7 +8636,7 @@ asset_type = Endpoint confidence = medium explanation = This search identifies users who have entered their passwords in username fields. This is done by looking for failed authentication attempts using usernames with a length longer than 7 characters and a high Shannon entropy, and looks for the next successful authentication attempt from the same source system to the same destination system as the failed attempt. how_to_implement = To successfully implement this search, you need to have relevant authentication logs mapped to the Authentication data model. You also need to have the Splunk TA URL Toolbox (https://splunkbase.splunk.com/app/2734/) installed. The detection must run with a time interval shorter than endtime+1000. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078.003", "T1552.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.003", "T1552.001"], "nist": ["DE.AE"]} known_false_positives = Valid usernames with high entropy or source/destination system pairs with multiple authenticating users will make it difficult to identify the real user authenticating. providing_technologies = null @@ -8486,7 +8646,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic uses a pretrained machine learning text classifier to detect potentially malicious commandlines. The model identifies unusual combinations of keywords found in samples of commandlines where adversaries executed powershell code, primarily for C2 communication. For example, adversaries will leverage IO capabilities such as "streamreader" and "webclient", threading capabilties such as "mutex" locks, programmatic constructs like "function" and "catch", and cryptographic operations like "computehash". Although observing one of these keywords in a commandline script is possible, combinations of keywords observed in attack data are not typically found in normal usage of the commandline. The model will output a score where all values above zero are suspicious, anything greater than one particularly so. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003"], "nist": ["DE.AE"]} known_false_positives = This model is an anomaly detector that identifies usage of APIs and scripting constructs that are correllated with malicious activity. These APIs and scripting constructs are part of the programming langauge and advanced scripts may generate false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8496,7 +8656,7 @@ asset_type = Endpoint confidence = medium explanation = The following Hunting analytic assists with identifying suspicious PowerShell execution using Script Block Logging, or EventCode 4104. This analytic is not meant to be ran hourly, but occasionally to identify malicious or suspicious PowerShell. This analytic is a combination of work completed by Alex Teixeira and Splunk Threat Research Team. how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.AE"]} known_false_positives = Limited false positives. May filter as needed. providing_technologies = ["Microsoft Windows"] @@ -8506,7 +8666,7 @@ asset_type = Endpoint confidence = medium explanation = The following hunting analytic identifies PowerShell commands utilizing the WindowStyle parameter to hide the window on the compromised endpoint. This combination of command-line options is suspicious because it is overriding the default PowerShell execution policy, attempts to hide its activity from the user, and connects to the Internet. Removed in this version of the query is New-Object. The analytic identifies all variations of WindowStyle, as PowerShell allows the ability to shorten the parameter. For example w, win, windowsty and so forth. In addition, through our research it was identified that PowerShell will interpret different command switch types beyond the hyphen. We have added endash, emdash, horizontal bar, and forward slash. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} known_false_positives = Legitimate process can have this combination of command-line options, but it's not common. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8516,7 +8676,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell ScriptBlock Logging to identify a script that is attempting to modify or add a component object model to inprocserver32 path within the registry. how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the PowerShell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.015", "T1059", "T1059.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.015", "T1059", "T1059.001"], "nist": ["DE.CM"]} known_false_positives = False positives will be present if any scripts are adding to inprocserver32. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -8526,7 +8686,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using the `mutex` function. This function is commonly seen in some obfuscated PowerShell scripts to make sure that only one instance of there process is running on a compromise machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1027", "T1027.005", "T1059.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1027", "T1027.005", "T1059.001"], "nist": ["DE.CM"]} known_false_positives = powershell developer may used this function in their script for instance checking too. providing_technologies = ["Microsoft Windows"] @@ -8536,7 +8696,7 @@ asset_type = Endpoint confidence = medium explanation = This search identifies a modification in registry to disable the windows defender real time behavior monitoring. This event or technique is commonly seen in RATs, bots, or Trojans to disable AV to evade detections. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = Limited false positives. However, tune based on scripts that may perform this action. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8548,7 +8708,7 @@ explanation = The following analytic utilizes PowerShell Script Block Logging (E This analytic identifies specific PowerShell modules typically used to enumerate an organizations domain or users. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} known_false_positives = It is possible there will be false positives, filter as needed. providing_technologies = ["Microsoft Windows"] @@ -8558,7 +8718,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic utilizes PowerShell Script Block Logging (EventCode 4104) to identify the use of Enable-PSRemoting cmdlet. This cmdlet allows users to enable PowerShell remoting on a local or remote computer, which allows other computers to run commands on the target computer. The ability to remotely execute commands can be abused by attackers to take control of compromised systems and pivot to other systems on the network. By detecting the use of Enable-PSRemoting cmdlet via script block logging, this analytic can help organizations identify potential malicious activity related to attackers attempting to gain remote control of compromised systems. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} known_false_positives = Note that false positives may occur due to the use of the Enable-PSRemoting cmdlet by legitimate users, such as system administrators. It is recommended to apply appropriate filters as needed to minimize the number of false positives. providing_technologies = ["Microsoft Windows"] @@ -8568,7 +8728,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious enabling of smb1protocol through `powershell.exe`. This technique was seen in some ransomware (like reddot) where it enable smb share to do the lateral movement and encrypt other files within the compromise network system. how_to_implement = To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1027", "T1027.005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027", "T1027.005"], "nist": ["DE.CM"]} known_false_positives = network operator may enable or disable this windows feature. providing_technologies = ["Microsoft Windows"] @@ -8578,7 +8738,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a COM CLSID execution through powershell. This technique was seen in several adversaries and malware like ransomware conti where it has a feature to execute command using COM Object. This technique may use by network operator at some cases but a good indicator if some application want to gain privilege escalation or bypass uac. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.015", "T1546", "T1059.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.015", "T1546", "T1059.001"], "nist": ["DE.CM"]} known_false_positives = network operrator may use this command. providing_technologies = ["Microsoft Windows"] @@ -8591,7 +8751,7 @@ This analytic identifies `GetProcAddress` in the script block. This is not norma In use, `$var_gpa = $var_unsafe_native_methods.GetMethod(GetProcAddress` and later referenced/executed elsewhere. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1055", "T1059.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1059", "T1055", "T1059.001"], "nist": ["DE.CM"]} known_false_positives = Limited false positives. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -8604,7 +8764,7 @@ This analytic identifies `FromBase64String` within the script block. A typical m Command example - `[Byte[]]$var_code = [System.Convert]::FromBase64String(38uqIyMjQ6rG....` \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1027", "T1059.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1059", "T1027", "T1059.001"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -8614,7 +8774,7 @@ asset_type = Endpoint confidence = medium explanation = The following hunting analytic identifies the use of `get-localgroup` being used with PowerShell to identify local groups on the endpoint. During triage, review parallel processes and identify any further suspicious behavior. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} known_false_positives = False positives may be present. Tune as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8626,7 +8786,7 @@ explanation = The following analytic utilizes PowerShell Script Block Logging (E This analytic identifies PowerShell cmdlet - `get-localgroup` being ran. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} known_false_positives = False positives may be present. Tune as needed. providing_technologies = ["Microsoft Windows"] @@ -8636,7 +8796,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies the use of the New-CIMSession cmdlet being created along with the Invoke-CIMMethod cmdlet being used within PowerShell. This particular behavior is similar to the usage of the Invoke-WMIMethod cmdlet, which is known for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. The New-CIMSession cmdlet allows users to create a new CIM session object for a specified computer system, which can then be used to execute CIM operations remotely. Similarly, the Invoke-CIMMethod cmdlet is used to invoke a specified method on one or more CIM objects. Therefore, the combination of New-CIMSession and Invoke-CIMMethod cmdlets in PowerShell can potentially indicate malicious behavior, and this analytic can help detect such activity. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1047"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.AE"]} known_false_positives = False positives may be present based on third-party applications or administrators using CIM. It is recommended to apply appropriate filters as needed to minimize the number of false positives. providing_technologies = ["Microsoft Windows"] @@ -8646,7 +8806,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects the usage of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). The utility is used for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited as this analytic is designed to detect a specific utility. It is recommended to apply appropriate filters as needed to minimize the number of false positives. providing_technologies = ["Microsoft Windows"] @@ -8658,7 +8818,7 @@ explanation = The following analytic utilizes PowerShell Script Block Logging (E This analytic identifies "MSF.Powershell","MSF.Powershell.Meterpreter","MSF.Powershell.Meterpreter.Kiwi","MSF.Powershell.Meterpreter.Transport" being used. This behavior is related to when a Meterpreter session is started and the operator runs load_kiwi. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} known_false_positives = False positives should be very limited as this is strict to MetaSploit behavior. providing_technologies = ["Microsoft Windows"] @@ -8670,7 +8830,7 @@ explanation = The following analytic utilizes PowerShell Script Block Logging (E This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited as day to day scripts do not use this method. providing_technologies = ["Microsoft Windows"] @@ -8680,7 +8840,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing compressed stream data. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are stream flattened and will be deflated durnig execution. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} known_false_positives = powershell may used this function to process compressed data. providing_technologies = ["Microsoft Windows"] @@ -8690,7 +8850,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains command to add or modify the trustedhost configuration in Windows OS. This behavior raises concerns due to the nature of modifications made to the 'TrustedHost' configuration, which typically involves adjusting settings crucial for remote connections and security protocols. Alterations in this area could potentially indicate attempts to manipulate trusted hosts or systems for unauthorized remote access, a tactic commonly observed in various unauthorized access or compromise attempts. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021.006", "T1021"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.006", "T1021"], "nist": ["DE.CM"]} known_false_positives = user and network administrator may used this function to add trusted host. providing_technologies = ["Microsoft Windows"] @@ -8700,7 +8860,7 @@ asset_type = Endpoint confidence = medium explanation = this search is designed to detect suspicious powershell process that tries to inject code and to known/critical windows process and execute it using CreateRemoteThread. This technique is seen in several malware like trickbot and offensive tooling like cobaltstrike where it load a shellcode to svchost.exe to execute reverse shell to c2 and download another payload how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, Create Remote thread from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of create remote thread may be used. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -8710,7 +8870,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic will identify a suspicious PowerShell command used to delete the Windows Defender folder. This technique was seen used by the WhisperGate malware campaign where it used Nirsofts advancedrun.exe to gain administrative privileges to then execute a PowerShell command to delete the Windows Defender folder. This is a good indicator the offending process is trying corrupt a Windows Defender installation. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Microsoft Windows"] @@ -8720,7 +8880,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains multiple URLs within a function or array. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are attempting to download 2nd stage payloads. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.001", "T1105"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Command and Control"], "mitre_attack": ["T1059.001", "T1105"], "nist": ["DE.CM"]} known_false_positives = Unknown, possible custom scripting. providing_technologies = ["Microsoft Windows"] @@ -8730,7 +8890,7 @@ asset_type = Endpoint confidence = medium explanation = Start-BitsTransfer is the PowerShell "version" of BitsAdmin.exe. Similar functionality is present. This technique variation is not as commonly used by adversaries, but has been abused in the past. Lesser known uses include the ability to set the `-TransferType` to `Upload` for exfiltration of files. In an instance where `Upload` is used, it is highly possible files will be archived. During triage, review parallel processes and process lineage. Capture any files on disk and review. For the remote domain or IP, what is the reputation? how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1197"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1197"], "nist": ["DE.CM"]} known_false_positives = Limited false positives. It is possible administrators will utilize Start-BitsTransfer for administrative tasks, otherwise filter based parent process or command-line arguments. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8740,7 +8900,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies the use of PowerShell's Start-Service or Stop-Service cmdlets on an endpoint. These cmdlets allow users to start or stop a specified Windows service. The ability to manipulate services can be leveraged by attackers to disable or stop critical services, which can cause system instability or disrupt business operations. By detecting the use of Start-Service or Stop-Service cmdlets via PowerShell, this analytic can help organizations identify potential malicious activity related to attackers attempting to manipulate services on compromised systems. However, note that this behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001"], "nist": ["DE.AE"]} known_false_positives = This behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats. providing_technologies = ["Microsoft Windows"] @@ -8750,7 +8910,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using memory stream as new object backstore. The malicious PowerShell script will contain stream flate data and will be decompressed in memory to run or drop the actual payload. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.CM"]} known_false_positives = powershell may used this function to store out object into memory. providing_technologies = ["Microsoft Windows"] @@ -8760,7 +8920,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies a common fileless malware staging technique of using .NET classes to directly download a URL payload into memory. The analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.001", "T1105", "T1027.011"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Command and Control", "Exploitation"], "mitre_attack": ["T1059.001", "T1105", "T1027.011"], "nist": ["DE.CM"]} known_false_positives = Unknown, possible custom scripting. providing_technologies = ["Microsoft Windows"] @@ -8770,7 +8930,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic will detect a suspicious process commandline related to windows defender exclusion feature. This command is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = admin or user may choose to use this windows features. providing_technologies = ["Microsoft Windows"] @@ -8780,7 +8940,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious bcdedit.exe execution to ignore all failures. This technique was used by ransomware to prevent the compromise machine automatically boot in repair mode. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} known_false_positives = Administrators may modify the boot configuration ignore failure during testing and debugging. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8790,7 +8950,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a suspicious modification or new registry entry regarding print processor. This registry is known to be abuse by turla or other APT to gain persistence and privilege escalation to the compromised machine. This is done by adding the malicious dll payload on the new created key in this registry that will be executed as it restarted the spoolsv.exe process and services. how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} known_false_positives = possible new printer installation may add driver component on this registry. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8802,7 +8962,7 @@ explanation = The following analytic identifies new printer drivers being load b Within the proof of concept code, the following event will occur - "Printer driver 1234 for Windows x64 Version-3 was added or updated. Files:- UNIDRV.DLL, kernelbase.dll, evil.dll. No user action is required." \ During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events and review the source of where the exploitation began. how_to_implement = You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} known_false_positives = Unknown. This may require filtering. providing_technologies = null @@ -8815,7 +8975,7 @@ Within the proof of concept code, the following error will occur - "The print sp The analytic is based on file path and failure to load the plug-in. \ During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. how_to_implement = You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} known_false_positives = False positives are unknown and filtering may be required. providing_technologies = null @@ -8825,7 +8985,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for a process launching an `*.lnk` file under `C:\User*` or `*\Local\Temp\*`. This is common behavior used by various spear phishing tools. how_to_implement = You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1566", "T1566.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.002"], "nist": ["DE.CM"]} known_false_positives = This detection should yield little or no false positive results. It is uncommon for LNK files to be executed from temporary or user directories. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8835,7 +8995,7 @@ asset_type = Endpoint confidence = medium explanation = This detection is to identify a suspicious process that tries to delete the process file path related to its process. This technique is known to be defense evasion once a certain condition of malware is satisfied or not. Clop ransomware use this technique where it will try to delete its process file path using a .bat command if the keyboard layout is not the layout it tries to infect. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -8845,7 +9005,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies `WmiPrvSE.exe` spawning a process. This typically occurs when a process is instantiated from a local or remote process using `wmic.exe`. During triage, review parallel processes for suspicious behavior or commands executed. Review the process and command-line spawning from `wmiprvse.exe`. Contain and remediate the endpoint as necessary. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, administrators may use wmi to execute commands for legitimate purposes. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8855,7 +9015,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of `wmic.exe` using `delete` to remove a executable path. This is typically ran via a batch file during beginning stages of an adversary setting up for mining on an endpoint. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = Unknown. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8865,7 +9025,7 @@ asset_type = Endpoint confidence = medium explanation = DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, a binary writing dynwrapx.dll to disk and registering it into the registry is highly suspect. Why is it needed? In most malicious instances, it will be written to disk at a non-standard location. During triage, review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This will identify the process that will invoke vbs/wscript/cscript. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1559.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1559.001"], "nist": ["DE.AE"]} known_false_positives = False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default). providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8875,7 +9035,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} known_false_positives = Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8895,7 +9055,7 @@ asset_type = Endpoint confidence = medium explanation = The following hunting analytic leverages Event ID 4698, `A scheduled task was created`, to identify the creation of a Scheduled Task with a suspicious, high entropy, Task Name. To achieve this, this analytic also leverages the `ut_shannon` function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Task Scheduler to create and start a remote Scheduled Task and obtain remote code execution. To achieve this goal, tools like Impacket or Crapmapexec, typically create a Scheduled Task with a random task name on the victim host. This hunting analytic may help defenders identify Scheduled Tasks created as part of a lateral movement attack. The entropy threshold `ut_shannon > 3` should be customized by users. The Command field can be used to determine if the task has malicious intent or not. how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA as well as the URL ToolBox application are also required. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.AE"]} known_false_positives = Legitimate applications may use random Scheduled Task names. providing_technologies = ["Microsoft Windows"] @@ -8905,7 +9065,7 @@ asset_type = Endpoint confidence = medium explanation = The following hunting analytic leverages Event ID 7045, `A new service was installed in the system`, to identify the installation of a Windows Service with a suspicious, high entropy, Service Name. To achieve this, this analytic also leverages the `ut_shannon` function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Service Control Manager to create and start a remote Windows Service and obtain remote code execution. To achieve this goal, some tools like Metasploit, Cobalt Strike and Impacket, typically create a Windows Service with a random service name on the victim host. This hunting analytic may help defenders identify Windows Services installed as part of a lateral movement attack. The entropy threshold `ut_shannon > 3` should be customized by users. The Service_File_Name field can be used to determine if the Windows Service has malicious intent or not. how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. The Windows TA as well as the URL ToolBox application are also required. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.AE"]} known_false_positives = Legitimate applications may use random Windows Service names. providing_technologies = null @@ -8915,7 +9075,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytics identifies a big number of instance of ransomware notes (filetype e.g .txt, .html, .hta) file creation to the infected machine. This behavior is a good sensor if the ransomware note filename is quite new for security industry or the ransomware note filename is not in your ransomware lookup table list for monitoring. how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -8925,7 +9085,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 performing checks to identify anti-virus products installed on the endpoint. This technique is commonly found in malware and APT events where the adversary will map all running security applications or services. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1592"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "nist": ["DE.CM"]} known_false_positives = network administrator may used this command for checking purposes providing_technologies = ["Microsoft Windows"] @@ -8935,7 +9095,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies suspicious PowerShell via EventCode 4104, where WMI is performing an event query looking for running processes or running services. This technique is commonly found where the adversary will identify services and system information on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1592", "T1059.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance", "Installation"], "mitre_attack": ["T1592", "T1059.001"], "nist": ["DE.AE"]} known_false_positives = network administrator may used this command for checking purposes providing_technologies = ["Microsoft Windows"] @@ -8945,7 +9105,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious commandline designed to delete files or directory recursive using batch command. This technique was seen in ransomware (reddot) where it it tries to delete the files in recycle bin to impaire user from recovering deleted files. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.CM"]} known_false_positives = network operator may use this batch command to delete recursively a directory or files within directory providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8955,7 +9115,7 @@ asset_type = Endpoint confidence = medium explanation = The search looks for reg.exe modifying registry keys that define Windows services and their configurations. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1574.011", "T1574"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.011", "T1574"], "nist": ["DE.CM"]} known_false_positives = It is unusual for a service to be created or modified by directly manipulating the registry. However, there may be legitimate instances of this behavior. It is important to validate and investigate, as appropriate. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8965,7 +9125,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for registry activity associated with application compatibility shims, which can be leveraged by attackers for various nefarious purposes. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} known_false_positives = There are many legitimate applications that leverage shim databases for compatibility purposes for legacy applications providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8975,7 +9135,7 @@ asset_type = Endpoint confidence = medium explanation = The search looks for modifications or alterations made to registry keys that have the potential to initiate the launch of an application or service during system startup. By monitoring and detecting modifications in these registry keys, we can identify suspicious or unauthorized changes that could be indicative of malicious activity. This proactive approach helps in safeguarding the system's integrity and security by promptly identifying and mitigating potential threats that aim to gain persistence or execute malicious actions during the startup process. how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.CM"]} known_false_positives = There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8985,7 +9145,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under "Image File Execution Options" are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.012", "T1546"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.012", "T1546"], "nist": ["DE.CM"]} known_false_positives = There are many legitimate applications that must execute upon system startup and will use these registry keys to accomplish that task. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -8995,7 +9155,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a loading of dll using regsvr32 application with silent parameter and dllinstall execution. This technique was seen in several RAT malware similar to remcos, njrat and adversaries to load their malicious DLL on the compromised machine. This TTP may executed by normal 3rd party application so it is better to pivot by the parent process, parent command-line and command-line of the file that execute this regsvr32. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.AE"]} known_false_positives = Other third part application may used this parameter but not so common in base windows environment. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9005,7 +9165,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies Regsvr32.exe utilizing the silent switch to load DLLs. This technique has most recently been seen in IcedID campaigns to load its initial dll that will download the 2nd stage loader that will download and decrypt the config payload. The switch type may be either a hyphen `-` or forward slash `/`. This behavior is typically found with `-s`, and it is possible there are more switch types that may be used. \ During triage, review parallel processes and capture any artifacts that may have landed on disk. Isolate and contain the endpoint as necessary. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.AE"]} known_false_positives = minimal. but network operator can use this application to load dll. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9015,7 +9175,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects the presence of a registry key related to the Remcos RAT agent on a host. This detection is made by a Splunk query to search for instances where the registry key "license" is found in the "Software\Remcos" path. This analytic combines information from two data models: Endpoint.Processes and Endpoint.Registry and retrieves process information such as user, process ID, process name, process path, destination, parent process name, parent process, and process GUID. This analytic also retrieves registry information such as registry path, registry key name, registry value name, registry value data, and process GUID. By joining the process GUID from the Endpoint.Processes data model with the process GUID from the Endpoint.Registry data model, the analytic identifies instances where the "license" registry key is found in the "Software\Remcos" path. This detection is important because it suggests that the host has been compromised by the Remcos RAT agent. Remcos is a well-known remote access Trojan that can be used by attackers to gain unauthorized access to systems and exfiltrate sensitive data. Identifying this behavior allows the SOC to take immediate action to remove the RAT agent and prevent further compromise. The impact of this attack can be severe, as the attacker can gain unauthorized access to the system, steal sensitive information, or use the compromised system as a launching point for further attacks. Next steps include using this analytic in conjunction with other security measures and threat intelligence to ensure accurate detection and response. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9025,7 +9185,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect file creation in remcos folder in appdata which is the keylog and clipboard logs that will be send to its c2 server. This is really a good TTP indicator that there is a remcos rat in the system that do keylogging, clipboard grabbing and audio recording. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9035,7 +9195,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for the remote desktop process mstsc.exe running on systems upon which it doesn't typically run. This is accomplished by filtering out all systems that are noted in the `common_rdp_source category` in the Assets and Identity framework. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"]} known_false_positives = Remote Desktop may be used legitimately by users on the network. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9045,7 +9205,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM and `powershell.exe` for lateral movement and remote code execution. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003"], "nist": ["DE.CM"]} known_false_positives = Administrators may leverage DCOM to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9055,7 +9215,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM for lateral movement and remote code execution. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003"], "nist": ["DE.CM"]} known_false_positives = Administrators may leverage DCOM to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. providing_technologies = ["Microsoft Windows"] @@ -9065,7 +9225,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM and `powershell.exe` for lateral movement and remote code execution. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} known_false_positives = Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. However, this activity is usually limited to a small set of hosts or users. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9075,7 +9235,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM for lateral movement and remote code execution. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} known_false_positives = Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible. providing_technologies = ["Microsoft Windows"] @@ -9085,7 +9245,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `winrs.exe` with command-line arguments utilized to start a process on a remote endpoint. Red Teams and adversaries alike may abuse the WinRM protocol and this binary for lateral movement and remote code execution. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} known_false_positives = Administrators may leverage WinRM and WinRs to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9095,7 +9255,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies wmic.exe being launched with parameters to spawn a process on a remote system. Red Teams and adversaries alike may abuse WMI and this binary for lateral movement and remote code execution. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} known_false_positives = The wmic.exe utility is a benign Windows application. It may be used legitimately by Administrators with these parameters for remote system administration, but it's relatively uncommon. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9105,7 +9265,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `powershell.exe` leveraging the `Invoke-WmiMethod` commandlet complemented with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and `powershell.exe` for lateral movement and remote code execution. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} known_false_positives = Administrators may leverage WWMI and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9115,7 +9275,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Invoke-WmiMethod` commandlet with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and this commandlet for lateral movement and remote code execution. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} known_false_positives = Administrators may leverage WWMI and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users. providing_technologies = ["Microsoft Windows"] @@ -9125,7 +9285,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain computers. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain computers for situational awareness and Active Directory Discovery. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use Adsisearcher for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -9135,7 +9295,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover remote systems. The `computer` argument returns a list of all computers registered in the domain. Red Teams and adversaries alike engage in remote system discovery for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9145,7 +9305,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to discover remote systems. The argument `domain computers /domain` returns a list of all domain computers. Red Teams and adversaries alike use net.exe to identify remote systems for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9155,7 +9315,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command return a list of all the systems registered in the domain. Red Teams and adversaries alike may leverage WMI and wmic.exe to identify remote systems for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9165,7 +9325,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies usage of `wmic.exe` spawning a local or remote process, identified by the `node` switch. During triage, review parallel processes for additional commands executed. Look for any file modifications before and after `wmic.exe` execution. In addition, identify the remote endpoint and confirm execution or file modifications. Contain and isolate the endpoint as needed. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} known_false_positives = Administrators may use this legitimately to gather info from remote systems. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9175,7 +9335,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytics identifies the resizing of shadowstorage by ransomware malware to avoid the shadow volumes being made again. this technique is an alternative by ransomware attacker than deleting the shadowstorage which is known alert in defensive team. one example of ransomware that use this technique is CLOP ransomware where it drops a .bat file that will resize the shadowstorage to minimum size as much as possible how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} known_false_positives = network admin can resize the shadowstorage for valid purposes. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9185,7 +9345,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies suspicious commandline parameter that are commonly used by REVIL ransomware to encrypts the compromise machine. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} known_false_positives = third party tool may have same command line parameters as revil ransomware. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9195,7 +9355,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies suspicious modification in registry entry to keep some malware data during its infection. This technique seen in several apt implant, malware and ransomware like REVIL where it keep some information like the random generated file extension it uses for all the encrypted files and ransomware notes file name in the compromised host. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9205,7 +9365,7 @@ asset_type = Endpoint confidence = medium explanation = Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpys Kekeo project and Vincent LE TOUXs MakeMeEnterpriseAdmin project. This analytic looks for the use of Rubeus command line arguments utilized in common Kerberos attacks like exporting and importing tickets, forging silver and golden tickets, requesting a TGT or TGS, kerberoasting, password spraying, etc. Red teams and adversaries alike use Rubeus for Kerberos attacks within Active Directory networks. Defenders should be aware that adversaries may customize the source code of Rubeus and modify the command line parameters. This would effectively bypass this analytic. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1550", "T1550.003", "T1558", "T1558.003", "T1558.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003", "T1558", "T1558.003", "T1558.004"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, legitimate applications may use the same command line parameters as Rubeus. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9215,7 +9375,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic looks for a process accessing the winlogon.exe system process. The Splunk Threat Research team identified this behavior when using the Rubeus tool to monitor for and export kerberos tickets from memory. Before being able to export tickets. Rubeus will try to escalate privileges to SYSTEM by obtaining a handle to winlogon.exe before trying to monitor for kerberos tickets. Exporting tickets from memory is typically the first step for pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Rubeus to potentially bypass this analytic. how_to_implement = This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1550", "T1550.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003"], "nist": ["DE.CM"]} known_false_positives = Legitimate applications may obtain a handle for winlogon.exe. Filter as needed providing_technologies = null @@ -9225,7 +9385,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic look for a spawned runas.exe process with a administrator user option parameter. This parameter was abused by adversaries, malware author or even red teams to gain elevated privileges in target host. This is a good hunting query to figure out privilege escalation tactics that may used for different stages like lateral movement but take note that administrator may use this command in purpose so its better to see other event context before and after this analytic. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1134", "T1134.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134", "T1134.001"], "nist": ["DE.AE"]} known_false_positives = A network operator or systems administrator may utilize an automated or manual execute this command that may generate false positives. filter is needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9235,7 +9395,7 @@ asset_type = Endpoint confidence = medium explanation = The following hunting detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. \ This is written to be a bit more broad by not including .cpl. \ During triage, review parallel processes to identify any further suspicious behavior. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.AE"]} known_false_positives = This is a hunting detection, meant to provide a understanding of how voluminous control_rundll is within the environment. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9245,7 +9405,7 @@ asset_type = Endpoint confidence = medium explanation = The following detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type from windows\temp, programdata, or appdata. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. This is written to be a bit more broad by not including .cpl. The paths are specified, add more as needed. During triage, review parallel processes to identify any further suspicious behavior. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} known_false_positives = This may be tuned, or a new one related, by adding .cpl to command-line. However, it's important to look for both. Tune/filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9255,7 +9415,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies the suspicious Remote Thread execution of rundll32.exe to any process. This technique was seen in IcedID malware to execute its malicious code in normal process for defense evasion and to steal sensitive information in the compromised host. how_to_implement = To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -9265,7 +9425,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies the suspicious Remote Thread execution of rundll32.exe process to "firefox.exe" and "chrome.exe" browser. This technique was seen in IcedID malware where it hooks the browser to parse banking information as user used the targetted browser process. how_to_implement = To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -9275,7 +9435,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious rundll32.exe process having a http connection and do a dns query in some web domain. This technique was seen in IcedID malware where the rundll32 that execute its payload will contact amazon.com to check internet connect and to communicate to its C&C server to download config and other file component. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -9285,7 +9445,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious rundll32 commandline to lock the workstation through command line. This technique was seen in CONTI leak tooling and script as part of its defense evasion. This technique is not a common practice to lock a screen and maybe a good indicator of compromise. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9295,7 +9455,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious rundll32 process that drops executable (.exe or .dll) files. This behavior seen in rundll32 process of IcedID that tries to drop copy of itself in temp folder or download executable drop it either appdata or programdata as part of its execution. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, TargetFilename, and eventcode 11 executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -9305,7 +9465,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a suspicious rundll32 commandline to clear shim cache. This technique is a anti-forensic technique to clear the cache taht are one important artifacts in terms of digital forensic during attacks or incident. This TTP is a good indicator that someone tries to evade some tools and clear foothold on the machine. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9315,7 +9475,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies rundll32.exe with no command line arguments and performing a network connection. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9325,7 +9485,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies rundll32.exe loading an export function by ordinal value. Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly, may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Utilizing ordinal values makes it a bit more complicated for analysts to understand the behavior until the DLL is reviewed. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} known_false_positives = False positives are possible with native utilities and third party applications. Filtering may be needed based on command-line, or add world writeable paths to restrict query. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9335,7 +9495,7 @@ asset_type = Endpoint confidence = medium explanation = The search looks for files that contain the key word *Ryuk* under any folder in the C drive, which is consistent with Ryuk propagation. how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data-model object. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} known_false_positives = If there are files with this keywoord as file names it might trigger false possitives, please make use of our filters to tune out potential FPs. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9345,7 +9505,7 @@ asset_type = Endpoint confidence = medium explanation = This Splunk query identifies the use of Wake-on-LAN utilized by Ryuk ransomware. The Ryuk Ransomware uses the Wake-on-Lan feature to turn on powered off devices on a compromised network to have greater success encrypting them. This is a high fidelity indicator of Ryuk ransomware executing on an endpoint. Upon triage, isolate the endpoint. Additional file modification events will be within the users profile (\appdata\roaming) and in public directories (users\public\). Review all Scheduled Tasks on the isolated endpoint and across the fleet. Suspicious Scheduled Tasks will include a path to a unknown binary and those endpoints should be isolated until triaged. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.CM"]} known_false_positives = Limited to no known false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9355,7 +9515,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies access to SAM, SYSTEM or SECURITY databases' within the file path of `windows\system32\config` using Windows Security EventCode 4663. This particular behavior is related to credential access, an attempt to either use a Shadow Copy or recent CVE-2021-36934 to access the SAM database. The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1 and 10 that stores users' passwords. how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"]} known_false_positives = Natively, `dllhost.exe` will access the files. Every environment will have additional native processes that do as well. Filter by process_name. As an aside, one can remove process_name entirely and add `Object_Name=*ShadowCopy*`. providing_technologies = ["Microsoft Windows"] @@ -9365,7 +9525,7 @@ asset_type = Endpoint confidence = medium explanation = The search looks for a file named "test.txt" written to the windows system directory tree, which is consistent with Samsam propagation. how_to_implement = You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} known_false_positives = No false positives have been identified. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9375,7 +9535,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for arguments to sc.exe indicating the creation or modification of a Windows service. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} known_false_positives = Using sc.exe to manipulate Windows services is uncommon. However, there may be legitimate instances of this behavior. It is important to validate and investigate as appropriate. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9385,7 +9545,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect an application try to connect and create ADSI Object to do LDAP query. Every time an application connects to the directory and attempts to create an ADSI object, the Active Directory Schema is checked for changes. If it has changed since the last connection, the schema is downloaded and stored in a cache on the local computer either in %LOCALAPPDATA%\Microsoft\Windows\SchCache or %systemroot%\SchCache. We found this a good anomaly use case to detect suspicious application like blackmatter ransomware that use ADS object api to execute ldap query. having a good list of ldap or normal AD query tool used within the network is a good start to reduce the noise. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} known_false_positives = normal application like mmc.exe and other ldap query tool may trigger this detections. providing_technologies = null @@ -9398,7 +9558,7 @@ The search returns information about the task, such as the task name, command, a Implementing this analytic requires ingesting logs with information about task schedules, specifically Windows Security Log EventCode 4698, from your endpoints. It is recommended to tune and filter known instances of task schedules used in your environment to minimize false positives.\ Detecting the registration of suspicious tasks with HTTP command arguments is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is found, further investigation is warranted to analyze the nature and purpose of the scheduled task, identify any downloaded files or payloads, and mitigate the associated risks. The impact of a true positive can vary but may include data exfiltration, malware propagation, or unauthorized access to sensitive information. how_to_implement = To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Microsoft Windows"] @@ -9411,7 +9571,7 @@ If a true positive is found, it suggests an attacker is trying to persist within To implement this analytic, ensure you are ingesting logs with task schedule information from your endpoints. Be aware of potential false positives - legitimate uses of Task Scheduler in your environment may cause benign activities to be flagged.\ Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. how_to_implement = To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Microsoft Windows"] @@ -9422,7 +9582,7 @@ confidence = medium explanation = The following analytic detects the creation of suspicious tasks on a remote Windows endpoint using the at.exe command with command-line arguments. This technique is commonly used by red teams and adversaries for lateral movement and remote code execution. The at.exe binary leverages the deprecated AT protocol, which may still work on previous versions of Windows. Attackers can enable this protocol on demand by modifying a system registry key. It is important to consider potential false positives. While administrators may create scheduled tasks on remote systems, this activity is typically limited to a small set of hosts or users.\ Identifying the creation of scheduled tasks on remote endpoints is crucial for a Security Operations Center (SOC) because it indicates potential unauthorized activity or an attacker attempting to establish persistence or execute malicious code. The impact of a true positive can be significant, leading to unauthorized access, data theft, or other damaging outcomes. During triage, investigate the source and purpose of the scheduled task, inspect relevant on-disk artifacts, and analyze concurrent processes to identify the extent of the attack and take appropriate response actions. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053", "T1053.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.002"], "nist": ["DE.CM"]} known_false_positives = Administrators may create scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9432,7 +9592,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic focuses on identifying the creation or deletion of scheduled tasks using the schtasks.exe utility with the corresponding command-line flags (-create or -delete). This technique has been notably associated with threat actors like Dragonfly and the SUNBURST attack against SolarWinds. The purpose of this analytic is to detect suspicious activity related to scheduled tasks that could indicate malicious intent or unauthorized system manipulation. By monitoring for these specific command-line flags, we can enhance our ability to identify potential threats and prevent attacks similar to the use of scheduled tasks in the BadRabbit Ransomware incident. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} known_false_positives = While it is possible for legitimate scripts or administrators to trigger this behavior, filtering can be applied based on the parent process and application to reduce false positives. Analysts should reference the provided references to understand the context and threat landscape associated with this activity. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9442,7 +9602,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} known_false_positives = Administrators may start scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9452,7 +9612,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic is designed to detect when a Windows Scheduled Task is executed on demand via shell or command line. Adversaries often force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. This analytic is driven by process-related data, specifically process name, parent process, and command-line executions, sourced from endpoint logs. The search criteria focus on 'schtasks.exe' with an associated 'run' command. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} known_false_positives = Bear in mind, administrators debugging Scheduled Task entries may trigger this analytic, necessitating fine-tuning and filtering to distinguish between legitimate and potentially malicious use of 'schtasks.exe'. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9462,7 +9622,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic is designed to detect suspicious command-line arguments executed through 'schtasks.exe' to create a scheduled task on a remote endpoint. The analytic scans process data, checking for instances where 'schtasks.exe' has been used with specific command-line flags that suggest an attempt at lateral movement or remote code execution, common techniques employed by adversaries and red teams. Key data points include the process name, the specific command line used, the parent process name, the target destination, and the user involved. Also, timestamp data gives context to when these activities occurred. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} known_false_positives = While it is possible to have false positives, due to legitimate administrative tasks, these are usually limited and should still be validated and investigated as appropriate. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9472,7 +9632,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes a Splunk query to pinpoint potential threats by monitoring the 'schtasks.exe' command-line usage. This particular command, especially when used in tandem with 'shutdown' and '/create' flags, can suggest an adversarial force intending to schedule unwarranted system reboots. The query focuses on endpoint process data and retrieves details such as the process name, the parent process name, the destination, and the user involved. Essential to the investigation are the earliest and latest timestamps of these events, providing an activity timeline. Data such as the targeted host and initiating user offer valuable context for analyst. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} known_false_positives = This analytic may also capture legitimate administrative activities such as system updates or maintenance tasks, which can be classified as false positives. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9482,7 +9642,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is developed to detect possible event trigger execution through screensaver registry entry modification for persistence or privilege escalation. This technique was seen in several APT and malware where they put the malicious payload path to the SCRNSAVE.EXE registry key to redirect the execution to their malicious payload path. This TTP is a good indicator that some attacker may modify this entry for their persistence and privilege escalation. how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1546", "T1546.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546", "T1546.002"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9492,7 +9652,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects any potential misuse of Windows Management Instrumentation (WMI) for malicious purposes since adversaries often use WMI to run scripts which allows them to carry out malicious activities without raising suspicion. The detection is made by monitoring the process 'scrcons.exe', which is essential to run WMI scripts. The detection is important because it proactively identifies and responds to potential threats that leverage WMI for malicious purposes that can lead to system compromise, data exfiltration, or the establishment of persistence within the environment. False positives might occur since administrators might occasionally use WMI to launch scripts for legitimate purposes. Therefore, you must distinguish between malicious and benign activities. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, administrators may use wmi to launch scripts for legitimate purposes. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9502,7 +9662,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious sdclt.exe registry modification. This technique is commonly seen when attacker try to bypassed UAC by using sdclt.exe application by modifying some registry that sdclt.exe tries to open or query with payload file path on it to be executed. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} known_false_positives = Limited to no false positives are expected. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9512,7 +9672,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect the execution of sdelete.exe application sysinternal tools. This tool is one of the most use tool of malware and adversaries to remove or clear their tracks and artifact in the targetted host. This tool is designed to delete securely a file in file system that remove the forensic evidence on the machine. A good TTP query to check why user execute this application which is not a common practice. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} known_false_positives = user may execute and use this application providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9522,7 +9682,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies searchprotocolhost.exe with no command line arguments and with a network connection. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9532,7 +9692,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects a potential usage of secretsdump.py tool for dumping credentials (ntlm hash) from a copy of ntds.dit and SAM.Security,SYSTEM registrry hive. This technique was seen in some attacker that dump ntlm hashes offline after having a copy of ntds.dit and SAM/SYSTEM/SECURITY registry hive. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9546,7 +9706,7 @@ A service principal name (SPN) is a unique identifier of a service instance. SPN The following analytic identifies the use of KerberosRequestorSecurityToken class within the script block. Using .NET System.IdentityModel.Tokens.KerberosRequestorSecurityToken class in PowerShell is the equivelant of using setspn.exe. \ During triage, review parallel processes for further suspicious activity. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1558.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558.003"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited, however filter as needed. providing_technologies = ["Microsoft Windows"] @@ -9563,7 +9723,7 @@ Values \ 1. -F = perform queries at the forest, rather than domain level 1. -T = perform query on the specified domain or forest (when -F is also used) 1. -Q = query for existence of SPN \ During triage, review parallel processes for further suspicious activity. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1558.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558.003"], "nist": ["DE.CM"]} known_false_positives = False positives may be caused by Administrators resetting SPNs or querying for SPNs. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9573,7 +9733,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of `svc-exe` with Cobalt Strike. The behavior typically follows after an adversary has already gained initial access and is escalating privileges. Using `svc-exe`, a randomly named binary will be downloaded from the remote Teamserver and placed on disk within `C:\Windows\400619a.exe`. Following, the binary will be added to the registry under key `HKLM\System\CurrentControlSet\Services\400619a\` with multiple keys and values added to look like a legitimate service. Upon loading, `services.exe` will spawn the randomly named binary from `\\127.0.0.1\ADMIN$\400619a.exe`. The process lineage is completed with `400619a.exe` spawning rundll32.exe, which is the default `spawnto_` value for Cobalt Strike. The `spawnto_` value is arbitrary and may be any process on disk (typically system32/syswow64 binary). The `spawnto_` process will also contain a network connection. During triage, review parallel procesess and identify any additional file modifications. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited as `services.exe` should never spawn a process from `ADMIN$`. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9583,7 +9743,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies `services.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Service Control Manager and creating a remote malicious service, the executed command is spawned as a child process of `services.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of services.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"]} known_false_positives = Legitimate applications may trigger this behavior, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9593,7 +9753,7 @@ asset_type = Endpoint confidence = medium explanation = Monitor for changes of the ExecutionPolicy in the registry to the values "unrestricted" or "bypass," which allows the execution of malicious scripts. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} known_false_positives = Administrators may attempt to change the default execution policy on a system for a variety of reasons. However, setting the policy to "unrestricted" or "bypass" as this search is designed to identify, would be unusual. Hits should be reviewed and investigated as appropriate. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9603,7 +9763,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for shim database files being written to default directories. The sdbinst.exe application is used to install shim database files (.sdb). According to Microsoft, a shim is a small library that transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere. how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} known_false_positives = Because legitimate shim files are created and used all the time, this event, in itself, is not suspicious. However, if there are other correlating events, it may warrant further investigation. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9613,7 +9773,7 @@ asset_type = Endpoint confidence = medium explanation = This search detects the process execution and arguments required to silently create a shim database. The sdbinst.exe application is used to install shim database files (.sdb). A shim is a small library which transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} known_false_positives = None identified providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9626,7 +9786,7 @@ To implement this analytic, ensure that you are ingesting Windows Security Event It's important to note that while uncommon, legitimate applications may create and delete scheduled tasks within a short duration. Analysts should filter the results based on the specific context and environment to reduce false positives.\ Identifying short-lived scheduled tasks is valuable for a SOC as it can indicate malicious activities attempting to move laterally or execute unauthorized code on Windows systems. By detecting and investigating these events, security analysts can respond promptly to prevent further compromise and mitigate potential risks. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} known_false_positives = Although uncommon, legitimate applications may create and delete a Scheduled Task within 30 seconds. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -9636,7 +9796,7 @@ asset_type = Windows confidence = medium explanation = The following analytic detects the creation and deletion of accounts in a short time period to identify potential threats earlier and take appropriate actions to mitigate the risks. Helps prevent or minimize the potential damage caused by unauthorized access or malicious activities within the environment. This detection is made by a Splunk query that searches for events with the result IDs 4720 and 4726 in the "Change" data model. The query then groups the results by time, user, and destination. The result is filtered to only include events with the specified result IDs. The "transaction" command is used to group events that occur within a specified time span and have the same user but are not connected. Finally, the relevant information such as the first and last time of the event, the count, user, destination, and result ID are displayed in a table. This detection is important because it suggests that an attacker is attempting to create and delete accounts rapidly, potentially to cover their tracks or gain unauthorized access. The impact of such an attack can include unauthorized access to sensitive data, privilege escalation, or the ability to carry out further malicious activities within the environment. Next steps include investigating the events flagged by the analytic, review the account creation and deletion activities, and analyze any associated logs or artifacts to determine the intent and impact of the attack. how_to_implement = This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/ -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} known_false_positives = It is possible that an administrator created and deleted an account in a short time period. Verifying activity with an administrator is advised. providing_technologies = null @@ -9646,7 +9806,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious modification of registry that may related to UAC bypassed. This registry will be trigger once the attacker abuse the silentcleanup task schedule to gain high privilege execution that will bypass User control account. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9656,7 +9816,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects a behavior where a process name consists only of a single letter that helps to detect potential threats earlier and mitigate the risks. This detection is important because it indicates the presence of malware or an attacker attempting to evade detection by using a process name that is difficult to identify or track so that he can carry out malicious activities such as data theft or ransomware attacks. False positives might occur since there might be legitimate uses of single-letter process names in your environment. Next steps include reviewing the process details and investigating any suspicious activity upon triage. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"]} known_false_positives = Single-letter executables are not always malicious. Investigate this activity with your normal incident-response process. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9666,7 +9826,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, elevating access using the `-verb runas` function. This particular bypass utilizes a registry key/value. Identified by two sources, the registry keys are `HKCU\Software\Classes\exefile\shell` and `HKCU\Software\Classes\launcher.Systemsettings\Shell\open\command`. To simulate this behavior, multiple POC are available. The analytic identifies the use of `runas` by `slui.exe`. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} known_false_positives = Limited false positives should be present as this is not commonly used by legitimate applications. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9676,7 +9836,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, spawning a child process. This behavior is associated with publicly known UAC bypass. `slui.exe` is commonly associated with software updates and is most often spawned by `svchost.exe`. The `slui.exe` process should not have child processes, and any processes spawning from it will be running with elevated privileges. During triage, review the child process and additional parallel processes. Identify any file modifications that may have lead to the bypass. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} known_false_positives = Certain applications may spawn from `slui.exe` that are legitimate. Filtering will be needed to ensure proper monitoring. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9696,7 +9856,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious child process, `rundll32.exe`, with no command-line arguments being spawned from `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to spawn a process. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} known_false_positives = Limited false positives have been identified. There are limited instances where `rundll32.exe` may be spawned by a legitimate print driver. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9706,7 +9866,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect suspicious loading of dll in specific path relative to printnightmare exploitation. In this search we try to detect the loaded modules made by spoolsv.exe after the exploitation. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -9716,7 +9876,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies a suspicious behavior related to PrintNightmare, or CVE-2021-34527 previously (CVE-2021-1675), to gain privilege escalation on the vulnerable machine. This exploit attacks a critical Windows Print Spooler Vulnerability to elevate privilege. This detection is to look for suspicious process access made by the spoolsv.exe that may related to the attack. how_to_implement = To successfully implement this search, you need to be ingesting logs with process access event where SourceImage, TargetImage, GrantedAccess and CallTrace executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of spoolsv.exe. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} known_false_positives = Unknown. Filter as needed. providing_technologies = null @@ -9726,7 +9886,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\spool\drivers\x64\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} known_false_positives = Unknown. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9736,7 +9896,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously(CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\spool\drivers\x64\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} known_false_positives = Limited false positives. Filter as needed. providing_technologies = null @@ -9746,7 +9906,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious file creation of sqlite3.dll in %temp% folder. This behavior was seen in IcedID malware where it download sqlite module to parse browser database like for chrome or firefox to stole browser information related to bank, credit card or credentials. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1005"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -9756,7 +9916,7 @@ asset_type = Endpoint confidence = medium explanation = This correlation rule focuses on detecting potential threats associated with MITRE ATT&CK T1649 (Steal or Forge Authentication Certificates). The rule is designed to identify instances where 5 or more analytics related to Windows Certificate Services analytic story that are triggered within a specified time frame, which may indicate a potential attack in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information. how_to_implement = The Windows Certificate Services analytic story must have 5 or more analytics enabled. In addition, ensure data is being logged that is required. Modify the correlation as needed based on volume of noise related to the other analytics. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} known_false_positives = False positives may be present based on automated tooling or system administrators. Filter as needed. providing_technologies = null @@ -9766,7 +9926,7 @@ asset_type = Windows confidence = medium explanation = The malware sunburst will load the malicious dll by SolarWinds.BusinessLayerHost.exe. After a period of 12-14 days, the malware will attempt to resolve a subdomain of avsvmcloud.com. This detections will correlate both events. how_to_implement = This detection relies on sysmon logs with the Event ID 7, Driver loaded. Please tune your sysmon config that you DriverLoad event for SolarWinds.Orion.Core.BusinessLayer.dll is captured by Sysmon. Additionally, you need sysmon logs for Event ID 22, DNS Query. We suggest to run this detection at least once a day over the last 14 days. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1203"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1203"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -9776,7 +9936,7 @@ asset_type = Endpoint confidence = medium explanation = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries need to create a new computer account name and rename it to match the name of a domain controller account without the ending '$'. In Windows Active Directory environments, computer account names always end with `$`. This analytic leverages Event Id 4781, `The name of an account was changed`, to identify a computer account rename event with a suspicious name that does not terminate with `$`. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. how_to_implement = To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.CM"]} known_false_positives = Renaming a computer account name to a name that not end with '$' is highly unsual and may not have any legitimate scenarios. providing_technologies = ["Microsoft Windows"] @@ -9786,7 +9946,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a suspicious copy of file from systemroot folder of the windows OS. This technique is commonly used by APT or other malware as part of execution (LOLBIN) to run its malicious code using the available legitimate tool in OS. this type of event may seen or may execute of normal user in some instance but this is really a anomaly that needs to be check within the network. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1036.003", "T1036"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.003", "T1036"], "nist": ["DE.CM"]} known_false_positives = every user may do this event but very un-ussual. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9796,7 +9956,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of a curl contacting suspicious remote domains to checkin to Command And Control servers or download further implants. In the context of Silver Sparrow, curl is identified contacting s3.amazonaws.com. This particular behavior is common with MacOS adware-malicious software. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} known_false_positives = Unknown. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9806,7 +9966,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9816,7 +9976,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic will detect suspicious driver loaded paths. This technique is commonly used by malicious software like coin miners (xmrig) to register its malicious driver from notable directories where executable or drivers do not commonly exist. During triage, validate this driver is for legitimate business use. Review the metadata and certificate information. Unsigned drivers from non-standard paths is not normal, but occurs. In addition, review driver loads into `ntoskrnl.exe` for possible other drivers of interest. Long tail analyze drivers by path (outside of default, and in default) for further review. how_to_implement = To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} known_false_positives = Limited false positives will be present. Some applications do load drivers providing_technologies = null @@ -9826,7 +9986,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes Windows Event ID 1100 to identify when Windows event log service is shutdown. Note that this is a voluminous analytic that will require tuning or restricted to specific endpoints based on criticality. This event generates every time Windows Event Log service has shut down. It also generates during normal system shutdown. During triage, based on time of day and user, determine if this was planned. If not planned, follow through with reviewing parallel alerts and other data sources to determine what else may have occurred. how_to_implement = To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"]} known_false_positives = It is possible the Event Logging service gets shut down due to system errors or legitimately administration tasks. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -9836,7 +9996,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies gpupdate.exe with no command line arguments. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9846,7 +10006,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious rundll32.exe commandline to execute dll file. This technique was seen in IcedID malware to load its payload dll with the following parameter to load encrypted dll payload which is the license.dat. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} known_false_positives = limitted. this parameter is not commonly used by windows application but can be used by the network operator. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9856,7 +10016,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious creation of image in appdata folder made by process that also has a file reference in appdata folder. This technique was seen in remcos rat that capture screenshot of the compromised machine and place it in the appdata and will be send to its C2 server. This TTP is really a good indicator to check that process because it is in suspicious folder path and image files are not commonly created by user in this folder path. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9866,7 +10026,7 @@ asset_type = Endpoint confidence = medium explanation = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will request and obtain a Kerberos Service Ticket (TGS) with a domain controller computer account as the Service Name. This Service Ticket can be then used to take control of the domain controller on the final part of the attack. This analytic leverages Event Id 4769, `A Kerberos service ticket was requested`, to identify an unusual TGS request where the Account_Name requesting the ticket matches the Service_Name field. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.CM"]} known_false_positives = We have tested this detection logic with ~2 million 4769 events and did not identify false positives. However, they may be possible in certain environments. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -9877,7 +10037,7 @@ confidence = medium explanation = This search, detects execution of suspicious bash commands from various commonly leveraged bash scripts like (AutoSUID, LinEnum, LinPeas) to perform discovery of possible paths of privilege execution, password files, vulnerable directories, executables and file permissions on a Linux host.\ The search logic specifically looks for high number of distinct commands run in a short period of time. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004"], "nist": ["DE.CM"]} known_false_positives = Unless an administrator is using these commands to troubleshoot or audit a system, the execution of these commands should be monitored. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9887,7 +10047,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a renamed instance of microsoft.workflow.compiler.exe. Microsoft.workflow.compiler.exe is natively found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319 and is rarely utilized. When investigating, identify the executed code on disk and review. A spawned child process from microsoft.workflow.compiler.exe is uncommon. In any instance, microsoft.workflow.compiler.exe spawning from an Office product or any living off the land binary is highly suspect. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1036", "T1127", "T1036.003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003"], "nist": ["DE.AE"]} known_false_positives = Although unlikely, some legitimate applications may use a moved copy of microsoft.workflow.compiler.exe, triggering a false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9897,7 +10057,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies microsoft.workflow.compiler.exe usage. microsoft.workflow.compiler.exe is natively found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319 and is rarely utilized. When investigating, identify the executed code on disk and review. It is not a commonly used process by many applications. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1127"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, limited instances have been identified coming from native Microsoft utilities similar to SCCM. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9907,7 +10067,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies msbuild.exe executing from a non-standard path. Msbuild.exe is natively found in C:\Windows\Microsoft.NET\Framework\v4.0.30319 and C:\Windows\Microsoft.NET\Framework64\v4.0.30319. Instances of Visual Studio will run a copy of msbuild.exe. A moved instance of MSBuild is suspicious, however there are instances of build applications that will move or use a copy of MSBuild. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.CM"]} known_false_positives = Some legitimate applications may use a moved copy of msbuild.exe, triggering a false positive. Baselining of MSBuild.exe usage is recommended to better understand it's path usage. Visual Studio runs an instance out of a path that will need to be filtered on. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9917,7 +10077,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies renamed instances of msbuild.exe executing. Msbuild.exe is natively found in C:\Windows\Microsoft.NET\Framework\v4.0.30319 and C:\Windows\Microsoft.NET\Framework64\v4.0.30319. During investigation, identify the code executed and what is executing a renamed instance of MSBuild. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.AE"]} known_false_positives = Although unlikely, some legitimate applications may use a moved copy of msbuild, triggering a false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9927,7 +10087,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies wmiprvse.exe spawning msbuild.exe. This behavior is indicative of a COM object being utilized to spawn msbuild from wmiprvse.exe. It is common for MSBuild.exe to be spawned from devenv.exe while using Visual Studio. In this instance, there will be command line arguments and file paths. In a malicious instance, MSBuild.exe will spawn from non-standard processes and have no command line arguments. For example, MSBuild.exe spawning from explorer.exe, powershell.exe is far less common and should be investigated. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1127", "T1127.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127", "T1127.001"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9937,7 +10097,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies child processes spawning from "mshta.exe". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process "mshta.exe" and its child process. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9947,7 +10107,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies wmiprvse.exe spawning mshta.exe. This behavior is indicative of a DCOM object being utilized to spawn mshta from wmiprvse.exe or svchost.exe. In this instance, adversaries may use LethalHTA that will spawn mshta.exe from svchost.exe. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9964,7 +10124,7 @@ explanation = The following analytic identifies the use of a native MacOS utilit - PlistBuddy -c "Add :ProgramArguments:1 string -c" ~/Library/Launchagents/init_verx.plist \ Upon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1543.001", "T1543"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.001", "T1543"], "nist": ["DE.CM"]} known_false_positives = Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -9981,7 +10141,7 @@ explanation = The following analytic identifies the use of a native MacOS utilit - PlistBuddy -c "Add :ProgramArguments:1 string -c" ~/Library/Launchagents/init_verx.plist \ Upon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further. how_to_implement = OSQuery must be installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. Modify the macro and validate fields are correct. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1543.001", "T1543"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.001", "T1543"], "nist": ["DE.CM"]} known_false_positives = Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm. providing_technologies = null @@ -9991,7 +10151,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. how_to_implement = This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"]} known_false_positives = Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed. providing_technologies = null @@ -10001,7 +10161,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies a suspicious process spawned by another process from within common container/archive file types. This technique was a common technique used by adversaries and malware to execute scripts or evade defenses. This TTP may detect some normal software installation or user behaviors where opening archive files is common. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1204.002", "T1036.008"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1204.002", "T1036.008"], "nist": ["DE.CM"]} known_false_positives = Various business process or userland applications and behavior. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10011,7 +10171,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies a suspicious processes running in file paths that are not typically associated with legitimate software. Adversaries often employ this technique to drop and execute malicious executables in accessible locations that do not require administrative privileges. By monitoring for processes running in such unconventional file paths, we can identify potential indicators of compromise and proactively respond to malicious activity. This analytic plays a crucial role in enhancing system security by pinpointing suspicious behaviors commonly associated with malware and unauthorized software execution. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} known_false_positives = Administrators may allow execution of specific binaries in non-standard paths. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10021,7 +10181,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies a process making a DNS query to Discord, a well known instant messaging and digital distribution platform. Discord can be abused by adversaries, as seen in the WhisperGate campaign, to host and download malicious. external files. A process resolving a Discord DNS name could be an indicator of malware trying to download files from Discord for further execution. how_to_implement = his detection relies on sysmon logs with the Event ID 22, DNS Query. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.AE"]} known_false_positives = Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed. providing_technologies = null @@ -10031,7 +10191,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for reg.exe being launched from a command prompt not started by the user. When a user launches cmd.exe, the parent process is usually explorer.exe. This search filters out those instances. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = It's possible for system administrators to write scripts that exhibit this behavior. If this is the case, the search will need to be modified to filter them out. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10041,7 +10201,7 @@ asset_type = Endpoint confidence = medium explanation = Adversaries may abuse Regsvr32.exe to proxy execution of malicious code by using non-standard file extensions to load DLLs. Upon investigating, look for network connections to remote destinations (internal or external). Review additional parrallel processes and child processes for additional activity. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"]} known_false_positives = Limited false positives with the query restricted to specified paths. Add more world writeable paths as tuning continues. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10051,7 +10211,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies rundll32.exe using dllregisterserver on the command line to load a DLL. When a DLL is registered, the DllRegisterServer method entry point in the DLL is invoked. This is typically seen when a DLL is being registered on the system. Not every instance is considered malicious, but it will capture malicious use of it. During investigation, review the parent process and parrellel processes executing. Capture the DLL being loaded and inspect further. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} known_false_positives = This is likely to produce false positives and will require some filtering. Tune the query by adding command line paths to known good DLLs, or filtering based on parent process names. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10061,7 +10221,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10071,7 +10231,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious rundll32.exe process with plugininit parameter. This technique is commonly seen in IcedID malware to execute its initial dll stager to download another payload to the compromised machine. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} known_false_positives = third party application may used this dll export name to execute function. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10081,7 +10241,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies rundll32.exe executing a DLL function name, Start and StartW, on the command line that is commonly observed with Cobalt Strike x86 and x64 DLL payloads. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. Typically, the DLL will be written and loaded from a world writeable path or user location. In most instances it will not have a valid certificate (Unsigned). During investigation, review the parent process and other parallel application execution. Capture and triage the DLL in question. In the instance of Cobalt Strike, rundll32.exe is the default process it opens and injects shellcode into. This default process can be changed, but typically is not. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, some legitimate applications may use Start as a function and call it via the command line. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10092,7 +10252,7 @@ confidence = medium explanation = The following analytic, "Suspicious Scheduled Task from Public Directory", detects the registration of scheduled tasks aimed to execute a binary or script from public directories, a behavior often associated with malware deployment. It utilizes the Sysmon Event ID 1 data source, searching for instances where schtasks.exe is connected with the directories users\public, \programdata\, or \windows\temp and involves the /create command.\ The registration of such scheduled tasks in public directories could suggest that an attacker is trying to maintain persistence or execute malicious scripts. If confirmed as a true positive, this could lead to data compromise, unauthorized access, and potential lateral movement within the network. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.AE"]} known_false_positives = The main source of false positives could be the legitimate use of scheduled tasks from these directories. Careful tuning of this search may be necessary to suit the specifics of your environment, reducing the rate of false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10102,7 +10262,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies searchprotocolhost.exe with no command line arguments. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10112,7 +10272,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of a SQLite3 querying the MacOS preferences to identify the original URL the pkg was downloaded from. This particular behavior is common with MacOS adware-malicious software. Upon triage, review other processes in parallel for suspicious activity. Identify any recent package installations. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1074"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1074"], "nist": ["DE.CM"]} known_false_positives = Unknown. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10122,7 +10282,7 @@ asset_type = Endpoint confidence = medium explanation = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will need to request a Kerberos Ticket Granting Ticket (TGT) on behalf of the newly created and renamed computer account. The TGT request will be preceded by a computer account name event. This analytic leverages Event Id 4781, `The name of an account was changed` and event Id 4768 `A Kerberos authentication ticket (TGT) was requested` to correlate a sequence of events where the new computer account on event id 4781 matches the request account on event id 4768. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"]} known_false_positives = A computer account name change event inmediately followed by a kerberos TGT request with matching fields is unsual. However, legitimate behavior may trigger it. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -10132,7 +10292,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a suspicious creation of .wav file in appdata folder. This behavior was seen in Remcos RAT malware where it put the audio recording in the appdata\audio folde as part of data collection. this recording can be send to its C2 server as part of its exfiltration to the compromised machine. creation of wav files in this folder path is not a ussual disk place used by user to save audio format file. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, file_name, file_path and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10142,7 +10302,7 @@ asset_type = Endpoint confidence = medium explanation = The wevtutil.exe application is the windows event log utility. This searches for wevtutil.exe with parameters for clearing the application, security, setup, trace or system event logs. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1070.001", "T1070"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.001", "T1070"], "nist": ["DE.CM"]} known_false_positives = The wevtutil.exe application is a legitimate Windows event log utility. Administrators may use it to manage Windows event logs. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10152,7 +10312,7 @@ asset_type = Windows confidence = medium explanation = The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that utilizes the Endpoint.Filesystem data model and the Endpoint.Processes data model. The query looks for any process writing to the "*$Recycle.Bin*" file path, excluding explorer.exe. This detection is important because it suggests that an attacker is attempting to hide their activities by using the Recycle Bin, which can lead to data theft, ransomware, or other damaging outcomes. Detecting writes to the Recycle Bin by a process other than explorer.exe can help to investigate and determine if the activity is malicious or benign. False positives might occur since there might be legitimate uses of the Recycle Bin by processes other than explorer.exe. Next steps include reviewing the process writing to the Recycle Bin and any relevant on-disk artifacts upon triage. how_to_implement = To successfully implement this search you need to be ingesting information on filesystem and process logs responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` nodes. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1036"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.CM"]} known_false_positives = Because the Recycle Bin is a hidden folder in modern versions of Windows, it would be unusual for a process other than explorer.exe to write to it. Incidents should be investigated as appropriate. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10162,7 +10322,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic is designed to spot instances of 'svchost.exe' initiating a Living Off The Land Binaries and Scripts (LOLBAS) execution process. Often, adversaries manipulate Task Scheduler to execute code on remote endpoints, resulting in the spawning of a malicious command as a child process of 'svchost.exe'. By tracking child processes of 'svchost.exe' that align with the LOLBAS project, potential lateral movement activity can be detected. The analytic examines process details, including the process name, parent process, and command-line executions. A comprehensive list of LOLBAS processes is included in the search parameters. Although the analytic might catch legitimate applications exhibiting this behavior, these instances should be filtered accordingly. The findings from this analytic offer valuable insight into potentially malicious activities on an endpoint. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} known_false_positives = Legitimate applications may trigger this behavior, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10172,7 +10332,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a suspicious dxdiag.exe process command-line execution. Dxdiag is used to collect the system info of the target host. This technique has been used by Remcos RATS, various actors, and other malware to collect information as part of the recon or collection phase of an attack. This behavior should rarely be seen in a corporate network, but this command line can be used by a network administrator to audit host machine specifications. Thus in some rare cases, this detection will contain false positives in its results. To triage further, analyze what commands were passed after it pipes out the result to a file for further processing. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1592"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "nist": ["DE.AE"]} known_false_positives = This commandline can be used by a network administrator to audit host machine specifications. Thus, a filter is needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10182,7 +10342,7 @@ asset_type = Windows confidence = medium explanation = Detect system information discovery techniques used by attackers to understand configurations of the system to further exploit it. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1082"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.CM"]} known_false_positives = Administrators debugging servers providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10194,7 +10354,7 @@ explanation = This search looks for system processes that typically execute from This detection utilizes a lookup that is deduped `system32` and `syswow64` directories from Server 2016 and Windows 10.\ During triage, review the parallel processes - what process moved the native Windows binary? identify any artifacts on disk and review. If a remote destination is contacted, what is the reputation? how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1036", "T1036.003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003"], "nist": ["DE.AE"]} known_false_positives = This detection may require tuning based on third party applications utilizing native Windows binaries in non-standard paths. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10204,7 +10364,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `query.exe` with command-line arguments utilized to discover the logged user. Red Teams and adversaries alike may leverage `query.exe` to identify system users on a compromised endpoint for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10214,7 +10374,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `whoami.exe` without any arguments. This windows native binary prints out the current logged user. Red Teams and adversaries alike may leverage `whoami.exe` to identify system users on a compromised endpoint for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10224,7 +10384,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a suspicious modification of time provider registry for persistence and autostart. This technique can allow the attacker to persist on the compromised host and autostart as soon as the machine boot up. This TTP can be a good indicator of suspicious behavior since this registry is not commonly modified by normal user or even an admin. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.003", "T1547"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.003", "T1547"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10234,7 +10394,7 @@ asset_type = Endpoint confidence = medium explanation = this search is to detect potential trickbot infection through the create/connected named pipe to the system. This technique is used by trickbot to communicate to its c2 to post or get command during infection. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and pipename from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. . -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -10244,7 +10404,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious loaded unsigned dll by MMC.exe application. This technique is commonly seen in attacker that tries to bypassed UAC feature or gain privilege escalation. This is done by modifying some CLSID registry that will trigger the mmc.exe to load the dll path how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.002", "T1548", "T1218.014"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548", "T1218.014"], "nist": ["DE.CM"]} known_false_positives = unknown. all of the dll loaded by mmc.exe is microsoft signed dll. providing_technologies = null @@ -10254,7 +10414,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a possible uac bypass using the colorui.dll COM Object. this technique was seen in so many malware and ransomware like lockbit where it make use of the colorui.dll COM CLSID to bypass UAC. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} known_false_positives = not so common. but 3rd part app may load this dll. providing_technologies = null @@ -10264,7 +10424,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious un-installation of application using msiexec. This technique was seen in conti leak tool and script where it tries to uninstall AV product using this commandline. This commandline to uninstall product is not a common practice in enterprise network. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.007", "T1218"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007", "T1218"], "nist": ["DE.CM"]} known_false_positives = unknown. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10274,7 +10434,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process performing an outbound connection on port 88 used by default by the network authentication protocol Kerberos. Typically, on a regular Windows endpoint, only the lsass.exe process is the one tasked with connecting to the Kerberos Distribution Center to obtain Kerberos tickets. Identifying an unknown process using this protocol may be evidence of an adversary abusing the Kerberos protocol. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1550"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.CM"]} known_false_positives = Custom applications may leverage the Kerberos protocol. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10284,7 +10444,7 @@ asset_type = Endpoint confidence = medium explanation = Attackers often disable security tools to avoid detection. This search looks for the usage of process `fltMC.exe` to unload a Sysmon Driver that will stop sysmon from collecting the data. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = Unknown at the moment providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10296,7 +10456,7 @@ explanation = The following analytic utilizes PowerShell Script Block Logging (E This analytic identifies the behavior of AMSI being tampered with. Implemented natively in many frameworks, the command will look similar to `SEtValuE($Null,(New-OBJEct COLlECtionS.GenerIC.HAshSEt{[StrINg]))}$ReF=[ReF].AsSeMbLY.GeTTyPe("System.Management.Automation.Amsi"+"Utils")` taken from Powershell-Empire. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562", "T1059.001", "T1059"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1562", "T1059.001", "T1059"], "nist": ["DE.CM"]} known_false_positives = Potential for some third party applications to disable AMSI upon invocation. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -10306,7 +10466,7 @@ asset_type = Endpoint confidence = medium explanation = The following hunting analytic leverages Event ID 4769, `A Kerberos service ticket was requested`, to identify an unusual number of computer service ticket requests from one source. When a domain joined endpoint connects to a remote endpoint, it first will request a Kerberos Ticket with the computer name as the Service Name. An endpoint requesting a large number of computer service tickets for different endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc. The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of service requests. To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation. This logic can be used for real time security monitoring as well as threat hunting exercises. how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} known_false_positives = An single endpoint requesting a large number of computer service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systeams and missconfigured systems. providing_technologies = ["Microsoft Windows"] @@ -10317,7 +10477,7 @@ confidence = medium explanation = The following hunting analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain.\ The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number service ticket requests. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.AE"]} known_false_positives = An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems. providing_technologies = ["Microsoft Windows"] @@ -10327,7 +10487,7 @@ asset_type = Endpoint confidence = medium explanation = The following hunting analytic leverages Event ID 4624, `An account was successfully logged on`, to identify an unusual number of remote authentication attempts coming from one source. An endpoint authenticating to a large number of remote endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc. The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual high number of authentication events.To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation.This logic can be used for real time security monitoring as well as threat hunting exercises. how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} known_false_positives = An single endpoint authenticating to a large number of hosts is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, jump servers and missconfigured systems. providing_technologies = ["Microsoft Windows"] @@ -10357,7 +10517,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `powershell.exe` with command-line arguments that leverage PowerShell environment variables to identify the current logged user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10367,7 +10527,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the use of PowerShell environment variables to identify the current logged user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this PowerShell commandlet for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -10377,7 +10537,7 @@ asset_type = Endpoint confidence = medium explanation = The fsutil.exe application is a legitimate Windows utility used to perform tasks related to the file allocation table (FAT) and NTFS file systems. The update sequence number (USN) change journal provides a log of all changes made to the files on the disk. This search looks for fsutil.exe deleting the USN journal. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} known_false_positives = None identified providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10387,7 +10547,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a suspicious wscript commandline to execute vbscript. This technique was seen in several malware to execute malicious vbs file using wscript application. commonly vbs script is associated to cscript process and this can be a technique to evade process parent child detections or even some av script emulation system. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10397,7 +10557,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a possible abuse of verclsid to execute malicious file through generate CLSID. This process is a normal application of windows to verify the CLSID COM object before it is instantiated by Windows Explorer. This hunting query can be a good pivot point to analyze what is he CLSID or COM object pointing too to check if it is a valid application or not. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.012", "T1218"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.012", "T1218"], "nist": ["DE.AE"]} known_false_positives = windows can used this application for its normal COM object validation. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10407,7 +10567,7 @@ asset_type = Endpoint confidence = medium explanation = This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1505", "T1505.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.003"], "nist": ["DE.CM"]} known_false_positives = Baseline your environment before production. It is possible build systems using IIS will spawn cmd.exe to perform a software build. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10417,7 +10577,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for flags passed to wbadmin.exe (Windows Backup Administrator Tool) that delete backup files. This is typically used by ransomware to prevent recovery. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} known_false_positives = Administrators may modify the boot configuration. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10427,7 +10587,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a potential suspicious process loading a COM object from wbemprox.dll or faskprox.dll. The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. This feature is being abused by several threat actors, adversaries or even red teamers to gain privilege escalation or even to evade detections. This TTP is a good indicator that a process is loading possible known .dll modules that were known for its COM object. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} known_false_positives = legitimate process that are not in the exception list may trigger this event. providing_technologies = null @@ -10437,7 +10597,7 @@ asset_type = Endpoint confidence = medium explanation = This search is designed to detect suspicious wermgr.exe process that tries to connect to known IP web services. This technique is know for trickbot and other trojan spy malware to recon the infected machine and look for its ip address without so much finger print on the commandline process. Since wermgr.exe is designed for error handling process of windows it is really suspicious that this process is trying to connect to this IP web services cause that maybe cause of some malicious code injection. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1590", "T1590.005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1590", "T1590.005"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -10447,7 +10607,7 @@ asset_type = Endpoint confidence = medium explanation = this search is designed to detect potential malicious wermgr.exe process that drops or create executable file. Since wermgr.exe is an application trigger when error encountered in a process, it is really un ussual to this process to drop executable file. This technique is commonly seen in trickbot malware where it injects it code to this process to execute it malicious behavior like downloading other payload how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1027"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -10457,7 +10617,7 @@ asset_type = Endpoint confidence = medium explanation = This search is designed to detect suspicious cmd and powershell process spawned by wermgr.exe process. This suspicious behavior are commonly seen in code injection technique technique like trickbot to execute a shellcode, dll modules to run malicious behavior. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10467,7 +10627,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited, however filtering may be required. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10477,7 +10637,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, internet via secure tunneling,instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. how_to_implement = This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1102"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1102"], "nist": ["DE.CM"]} known_false_positives = Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed. providing_technologies = null @@ -10487,7 +10647,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious process enabling the "SeDebugPrivilege" privilege token. SeDebugPrivilege allows a process to inspect and adjust the memory of other processes, and has long been a security concern. SeDebugPrivilege allows the token bearer to access any process or thread, regardless of security descriptors, per Palantir. This technique is abused by adversaries to gain debug privileges with their malicious software to be able to access or debug a process to dump credentials or to inject malicious code. how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4703 EventCode enabled. The Windows TA is also required. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1134.002", "T1134"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.002", "T1134"], "nist": ["DE.AE"]} known_false_positives = Some native binaries and browser applications may request SeDebugPrivilege. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -10497,7 +10657,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process requesting access to winlogon.exe attempting to duplicate its handle. This technique was seen in several adversaries to gain privileges for their process. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens. how_to_implement = To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1134.001", "T1134"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.001", "T1134"], "nist": ["DE.AE"]} known_false_positives = It is possible legitimate applications will request access to winlogon, filter as needed. providing_technologies = null @@ -10507,7 +10667,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process requesting access in winlogon.exe to duplicate its handle with a non-common or public process source path. This technique was seen where adversaries attempt to gain privileges to their process. This duplicate handle access technique, may refer to a malicious process duplicating the process token of winlogon.exe and using it to a new process instance. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens. how_to_implement = To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1134.001", "T1134"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.001", "T1134"], "nist": ["DE.AE"]} known_false_positives = It is possible legitimate applications will request access to winlogon, filter as needed. providing_technologies = null @@ -10515,9 +10675,9 @@ providing_technologies = null type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. In the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user accounts that are not disabled. This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system. +explanation = The following analytic utilizes PowerShell Script Block Logging to identify the execution of the PowerView PowerShell commandlet Get-NetUser. In the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user accounts that are not disabled. The full script block text based on the CISA-23-347A advisory is "Get-NetUser -UACFilter NOT_ACCOUNTDISABLE". Utilize this query to identify potential suspicious activity of user account enumeration. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} known_false_positives = Administrators may leverage PowerView for legitimate purposes, filter as needed. providing_technologies = ["Microsoft Windows"] @@ -10527,7 +10687,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. In the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user account's "samccountname". This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.AE"]} known_false_positives = Administrators may leverage PowerView for legitimate purposes, filter as needed. providing_technologies = ["Microsoft Windows"] @@ -10537,7 +10697,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. This technique was observed in the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user accounts that do not require preauthentication for Kerberos. This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.AE"]} known_false_positives = Administrators may leverage PowerView for legitimate purposes, filter as needed. providing_technologies = ["Microsoft Windows"] @@ -10547,7 +10707,7 @@ asset_type = Endpoint confidence = medium explanation = Windows Active Directory contains numerous objects. A statistically significant increase in access to these objects may be evidence of attacker enumeration of Active Directory. how_to_implement = Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA. Recommend pre-filtering any known service accounts that frequently query AD to make detection more accurate. Setting wide search window of 48~72hr may smooth out misfires. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.AE"]} known_false_positives = Service accounts or applications that routinely query Active Directory for information. providing_technologies = ["Microsoft Windows"] @@ -10557,7 +10717,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the modification of the Access Control List for the AdminSDHolder object within a Windows domain. Specifically, the detection triggers on the addition of a new rule to the existing ACL. AdminSDHolder is an object located in the System Partition in Active Directory and is used as a security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that dont match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder. An adversary who has obtained privileged access to a Windows Domain may modify the AdminSDHolder ACL to establish persistence and allow an unprivileged user to take control of a domain. how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for the AdminSDHolder object in order to log modifications. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1546"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546"], "nist": ["DE.CM"]} known_false_positives = Adding new users or groups to the AdminSDHolder ACL is not usual. Filter as needed providing_technologies = ["Microsoft Windows"] @@ -10567,7 +10727,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects within different domains. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries for inter-domain privilege escalation and persistence. how_to_implement = To successfully implement this search, you need to be ingesting eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit User Account Management` and `Audit Computer Account Management` within `Account Management` all need to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} known_false_positives = Domain mergers and migrations may generate large volumes of false positives for this analytic. providing_technologies = ["Microsoft Windows"] @@ -10577,7 +10737,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects the disabling of audit policies on a domain controller. The detection is made by identifying changes made to audit policies and checks for the removal of success or failure auditing, which are common indicators of policy tampering. The detection is important because it indicates that an attacker has gained access to the domain controller and is attempting to evade detection and cover up malicious activity. The impact of such an attack can be severe, including data theft, privilege escalation, and compromise of the entire network. False positives might occur since legitimate changes to audit policies might also trigger the analytic. Upon triage, review the audit policy change event and investigate the source of the change. Additionally, you must capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the attack source." how_to_implement = Ensure you are ingesting EventCode `4719` from your domain controllers, the category domain_controller exists in assets and identities, and that assets and identities is enabled. If A&I is not configured, you will need to manually filter the results within the base search. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001"], "nist": ["DE.CM"]} known_false_positives = Unknown providing_technologies = ["Microsoft Windows"] @@ -10587,7 +10747,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies a genuine DC promotion event. Identifying when a computer assigns itself the necessary SPNs to function as a domain controller. Note these events are triggered on the existing domain controllers, not the newly joined domain controller. This detection will serve to identify rogue DCs added to the network. There are 2x detections within this analytic story which identify DCShadow attacks, if you do not currently possess the logging for these detections, remove the where clause within this detection to identify DCShadow activity. how_to_implement = To successfully implement this search, you need to be ingesting eventcode `4742`. The Advanced Security Audit policy setting `Audit Computer Account Management` within `Account Management` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} known_false_positives = None. providing_technologies = ["Microsoft Windows"] @@ -10597,7 +10757,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects the addition of the permissions necessary to perform a DCSync attack. In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain. - DS-Replication-Get-Changes - DS-Replication-Get-Changes-All Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met. how_to_implement = To successfully implement this search, you need to be ingesting the eventcode 5136. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects. Once the necessary logging has been enabled, enumerate the domain policy to verify if existing accounts with access need to be whitelisted, or revoked. Assets and Identities is also leveraged to automatically translate the objectSid into username. Ensure your identities lookup is configured with the sAMAccountName and objectSid of all AD user and computer objects. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1484"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484"], "nist": ["DE.CM"]} known_false_positives = When there is a change to nTSecurityDescriptor, Windows logs the entire ACL with the newly added components. If existing accounts are present with this permission, they will raise an alert each time the nTSecurityDescriptor is updated unless whitelisted. providing_technologies = ["Microsoft Windows"] @@ -10607,7 +10767,7 @@ asset_type = Endpoint confidence = medium explanation = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for alterations to the behaviour of the account via registry. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} known_false_positives = Disaster recovery events. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10617,7 +10777,7 @@ asset_type = Endpoint confidence = medium explanation = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for any password reset attempts against that account. how_to_implement = To successfully implement this search, you need to be ingesting eventcode `4794` and have the Advanced Security Audit policy `Audit User Account Management` within `Account Management` enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} known_false_positives = Resetting the DSRM password for legitamate reasons, i.e. forgot the password. Disaster recovery. Deploying AD backdoor deliberately. providing_technologies = null @@ -10627,7 +10787,7 @@ asset_type = Endpoint confidence = medium explanation = This detection identifies when the SID of a privileged user is added to the SID History attribute of another user. Useful for tracking SID history abuse across multiple domains. This detection leverages the Asset and Identities framework. See the implementation section for further details on configuration. how_to_implement = Ensure you have objectSid and the Down Level Logon Name `DOMAIN\sAMACountName` added to the identity field of your Asset and Identities lookup, along with the category of privileged for the applicable users. Ensure you are ingesting eventcodes 4742 and 4738. Two advanced audit policies `Audit User Account Management` and `Audit Computer Account Management` under `Account Management` are required to generate these event codes. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} known_false_positives = Migration of privileged accounts. providing_technologies = ["Microsoft Windows"] @@ -10637,7 +10797,7 @@ asset_type = Endpoint confidence = medium explanation = Windows Active Directory contains numerous objects that grant elevated access to the domain they reside in. These objects should be rarely accessed by normal users or processes. Access attempts to one or more of these objects may be evidence of attacker enumeration of Active Directory. how_to_implement = Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} known_false_positives = Service accounts or applications that routinely query Active Directory for information. providing_technologies = ["Microsoft Windows"] @@ -10647,7 +10807,7 @@ asset_type = Endpoint confidence = medium explanation = This alert was written to detect activity associated with the DCSync attack. When a domain controller receives a replication request, the user account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a user account creates a handle to domainDNS with the necessary replication permissions. how_to_implement = To successfully implement this search, you need to be ingesting eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services Access` within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes In Filtered Set` -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.006", "T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.006", "T1003"], "nist": ["DE.CM"]} known_false_positives = Azure AD Connect syncing operations. providing_technologies = ["Microsoft Windows"] @@ -10657,7 +10817,7 @@ asset_type = Endpoint confidence = medium explanation = This alert was written to detect activity associated with the DCSync attack performed by computer accounts. When a domain controller receives a replication request, the account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a computer account account creates a handle to domainDNS with the necessary replication permissions. These requests are then filtered to exclude where the events originate from a known domain controller IP address. how_to_implement = To successfully implement this search, you need to be ingesting eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services Access` within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes In Filtered Set` Assets and Identities will also need to be configured, with the category of domain_controller added for domain controllers. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.006", "T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.006", "T1003"], "nist": ["DE.CM"]} known_false_positives = Genuine DC promotion may trigger this alert. providing_technologies = ["Microsoft Windows"] @@ -10667,7 +10827,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects which exist within the same domain. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. This analytic was written to pick up on activity via Mimikatz sid::patch. Please note there are additional avenues to abuse SID history such as DCShadow & Golden / Diamond tickets which won't be detected using these event codes. how_to_implement = To successfully implement this search, you need to be ingesting eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit User Account Management` and `Audit Computer Account Management` within `Account Management` all need to be enabled. SID resolution is not required.. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} known_false_positives = Unknown providing_technologies = ["Microsoft Windows"] @@ -10677,7 +10837,7 @@ asset_type = endpoint confidence = medium explanation = The following analytic identifies the addition of a Service Principal Name to a domain account. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Servce Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} known_false_positives = A Service Principal Name should only be added to an account when an application requires it. While infrequent, this detection may trigger on legitimate actions. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -10687,7 +10847,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the addition of a Service Principal Name to a domain account that is quickly deleted within 5 minutes or less. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Service Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. To clean things up, the adversary may delete the SPN which will trigger this detection. how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} known_false_positives = A Service Principal Name should only be added to an account when an application requires it. Adding an SPN and quickly deleting it is less common but may be part of legitimate action. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -10697,7 +10857,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies when either a global catalog SPN or a DRS RPC SPN are temporarily added to an Active Directory computer object, both of which can be evidence of a DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes into the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. No event logs are written for changes to AD attributes, allowing for stealthy backdoors to be implanted in the domain, or metadata such as timestamps overwritten to cover tracks. how_to_implement = To successfully implement this search, you need to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} known_false_positives = None. providing_technologies = ["Microsoft Windows"] @@ -10707,7 +10867,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a change in an Active Directory environment that could represent evidence of the DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes in the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. Specifically, the detection will trigger when a possible rogue Domain Controller computer object is created and quickly deleted within 30 seconds or less in an Active Directory domain. This behavior was identfied by simulating the DCShadow attack with Mimikatz. how_to_implement = To successfully implement this search, you ned to be ingesting Event codes `5137` and `5141`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. For these event codes to be generated, specific SACLs are required. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} known_false_positives = Creating and deleting a server object within 30 seconds or less is unusual but not impossible in a production environment. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -10717,7 +10877,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic leverages event code `5136` to identify a modification of the SID History AD attribute. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1134", "T1134.005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134", "T1134.005"], "nist": ["DE.CM"]} known_false_positives = Domain mergers and migrations may generate large volumes of false positives for this analytic. providing_technologies = ["Microsoft Windows"] @@ -10727,7 +10887,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for the execution of `adfind.exe` with command-line arguments that it uses by default specifically the filter or search functions. It also considers the arguments necessary like objectcategory, see readme for more details: https://www.joeware.net/freetools/tools/adfind/usage.htm. AdFind.exe is a powerful tool that is commonly used for querying and retrieving information from Active Directory (AD). While it is primarily designed for AD administration and management, it has been seen used before by Wizard Spider, FIN6 and actors whom also launched SUNBURST. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} known_false_positives = ADfind is a command-line tool for AD administration and management that is seen to be leveraged by various adversaries. Filter out legitimate administrator usage using the filter macro. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10737,7 +10897,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is developed to identify suspicious file creation in the root drive (C:\). This tactic was observed in NjRAT as a means to ascertain whether its malware instance running on the compromised host possesses administrative privileges. The methodology involves an attempt to create a 'win.dat' file in the C:\ directory. If this file is successfully created, it serves as an indicator that the process indeed holds administrative privileges. This anomaly detection mechanism serves as a valuable pivot point for detecting NjRAT and other malware strains employing similar techniques to assess the privileges of their running malware instances, without using token privilege API calls or PowerShell commandlets. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1069.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069.001"], "nist": ["DE.AE"]} known_false_positives = False positives may occur if there are legitimate accounts with the privilege to drop files in the root of the C drive. It's recommended to verify the legitimacy of such actions and the accounts involved. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10747,7 +10907,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic leverages Event IDs 5140 or 5145 to identify a source computer accessing windows administrative shares (C$, Admin$ and IPC$ ) across a large number remote endpoints. Specifically, the logic will trigger when a source endpoint accesses administrative shares across 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is enumerating network shares across an Active Directory environment in the search for sensitive files, a common technique leveraged by red teamers and threat actors. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. how_to_implement = To successfully implement this search, you need to be ingesting file share events. The Advanced Security Audit policy setting `Audit Detailed File Share` or `Audit File Share` within `Object Access` need to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1135"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1135"], "nist": ["DE.CM"]} known_false_positives = An single endpoint accessing windows administrative shares across a large number of endpoints is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems. providing_technologies = ["Microsoft Windows"] @@ -10757,7 +10917,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic leverages Splunks Admon to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs. how_to_implement = To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} known_false_positives = The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed. providing_technologies = null @@ -10767,7 +10927,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic leverages Splunks Admon to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. Security teams should monitor the creation of new Group Policy Objects. how_to_implement = To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} known_false_positives = Group Policy Objects are created as part of regular administrative operations, filter as needed. providing_technologies = null @@ -10775,9 +10935,9 @@ providing_technologies = null type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic detects when an uninterrupted string of base64 characters is written to the contents of an NTFS file system alternate data stream. This behavior could indicate a threat actor staging malicious code within difficult to detect areas of the file system for later use or persistence. +explanation = This analytic leverages Sysmon Event ID 15, a critical file creation event, to detect the creation of Alternate Data Streams (ADS) on Windows systems. ADS is a feature of the NTFS file system that allows the storage of data in hidden streams attached to files. These streams are not visible in standard file listings, making them a popular technique for concealing malicious activity. Event ID 15 captures both the hash of the primary file content (unnamed stream) and the content of any additional named streams, which can include executables, scripts, or configuration data. Malware often exploits ADS to hide payloads, leveraging browser downloads to attach a Zone.Identifier stream, marking the file as originating from the Internet (Mark Of The Web, MOTW). This analytic is designed to identify such misuse by analyzing the content and creation patterns of named streams, including those under 1KB which may contain MOTW information. It is essential for detecting sophisticated threats that utilize non-executable file types or conceal malicious scripts within ADS, beyond the traditional focus on PE executables. The detection process involves monitoring for the creation of named streams, which are part of the NTFS structure and can be examined using tools like PowerShell for the presence of additional data streams or MOTW information. This approach helps in uncovering hidden payloads and tracking the origin of suspicious files downloaded via browsers or email clients, providing a comprehensive defense against ADS abuse. how_to_implement = Target environment must ingest sysmon data, specifically Event ID 15. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1564", "T1564.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564", "T1564.004"], "nist": ["DE.CM"]} known_false_positives = Unknown providing_technologies = null @@ -10785,9 +10945,9 @@ providing_technologies = null type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic detects when data is written to the contents of an NTFS file system alternate data stream that possess an IMPASH value. This indicates that the data written has a PE structure and can be executed. This behavior could indicate a threat actor staging malicious code within difficult to detect areas of the file system for later usage or persistence.Note - import hashing/imphash must be enabled within Sysmon. -how_to_implement = Target environment must ingest sysmon data, specifically Event ID 15. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1564", "T1564.004"], "nist": ["DE.CM"]} +explanation = This analytic is designed to detect when data, possessing an IMPHASH value, is written to an Alternate Data Stream (ADS) in the NTFS file system. The presence of an IMPHASH value suggests that the written data has a Portable Executable (PE) structure, indicating its potential to be executed. Such behavior could be a sign of a threat actor staging malicious code within hard-to-detect areas of the file system for future use or persistence. It's important to note that for this analytic to function correctly, import hashing/imphash must be enabled within Sysmon. This allows the capture of the IMPHASH value, a unique identifier for the imported functions of a PE, providing a robust mechanism for detecting hidden malicious activity leveraging ADS. +how_to_implement = Target environment must ingest Sysmon data, specifically Event ID 15, and import hashing/imphash must be enabled within Sysmon. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564", "T1564.004"], "nist": ["DE.CM"]} known_false_positives = Unknown providing_technologies = null @@ -10797,7 +10957,7 @@ asset_type = Endpoint confidence = medium explanation = This following analytic detects when a process attempts to execute a file from within an NTFS file system alternate data stream. This behavior could indicate that a threat actor staged malicious code within a difficult to detect area of the file system and is now attempting to execute it. how_to_implement = Target environment must ingest process execution data sources such as Windows process monitoring and/or Sysmon Event ID 1. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1564", "T1564.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564", "T1564.004"], "nist": ["DE.CM"]} known_false_positives = False positives may be generated by process executions within the commandline, regex has been provided to minimize the possibilty. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10807,7 +10967,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a default behavior of a MetaSploit payload. MetaSploit uses Apache Benchmark to generate payloads. The payloads contain standard artifacts including "Apache Benchmark" and the original file name is always ab.exe. During triage, review the process and it's path. It is possible network connections spawned from it. Review parallel processes for further behaviors. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} known_false_positives = False positives should be limited as there is a small subset of binaries that contain the original file name of ab.exe. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10817,7 +10977,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious process creating or connecting to a possible Qakbot named pipe . This technique was seen in Qakbot malware that creates named pipe after injecting its code in legitimate process to communicate on other process that also has an injected code to steal information on the compromised host. This Anomaly detection can be a good pivot for possible Qakbot infection. This detection looks for possible random generated named pipe (in GUID form) created by known process being abused by Qakbot. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, pipename, processguid and named pipe event type from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1071"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -10827,7 +10987,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious wermgr.exe process creating or connecting to a named pipe. Wermgr.exe is part of Windows OS Problem reporting application responsible for reporting problems, fault or error happen on the Windows OS. This file is being abused by several Threat actors and malware such as Trickbot and Qakbot to execute their malicious code. This anomaly detection can be a good pivot on possible wermgr.exe processes having injected malicious code that might be related to qakbot infection that communicates via named pipe. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, pipename, processguid and named pipe event type from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1071"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -10837,7 +10997,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of default or publicly known named pipes used by RMX remote admin tool. A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. RMX Tool uses named pipes in many way as part of its communication for its server and client component. This tool was abuse by several adversaries and malware like Azorult to collect data to the targeted host. This TTP is a good indicator that this tool was install in production premise and need to check if the user has a valid reason why it need to install this legitimate application. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1071"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071"], "nist": ["DE.CM"]} known_false_positives = False positives may be present. Filter based on pipe name or process. providing_technologies = null @@ -10847,7 +11007,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies suspicious PowerShell script that archive files to a temp folder. This anomaly detection serves as a valuable indicator to uncover threats from adversaries utilizing PowerShell scripts for data archiving purposes. Identifying this method becomes pivotal in flagging and investigating potential threats, enabling proactive measures threat actors leveraging similar PowerShell-based data collection and archiving techniques. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1560"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560"], "nist": ["DE.AE"]} known_false_positives = powershell may used this function to archive data. providing_technologies = ["Microsoft Windows"] @@ -10857,7 +11017,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process execute a rar utilities to archive files. This method has been exploited by various threat actors, including red-teamers and malware like DarkGate, to gather and compress collected data on compromised hosts. Subsequently, these archives are transmitted to command and control servers as part of their data exfiltration techniques. These adversaries leverage RAR archiving to consolidate and compress collected data on compromised hosts. Once the data is compiled into these archives, it serves as a means for these entities to effectively exfiltrate sensitive information. This process involves transferring the archived data to command and control servers, facilitating the extraction and retrieval of critical information from compromised systems. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} known_false_positives = user and network administrator can execute this command. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10867,7 +11027,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic is designed to detect any execution of AutoIt3, a scripting language designed for automating the Windows GUI and general scripting. This includes instances where AutoIt3 has been renamed or otherwise altered in an attempt to evade detection. The analytic works by searching for process names or original file names that match 'autoit3.exe', which is the default executable for AutoIt scripts. This detection is important as AutoIt3 is often used by attackers to automate malicious activities, such as the execution of malware or other unwanted software. False positives may occur with legitimate uses of AutoIt3. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} known_false_positives = False positives may be present if the application is legitimately used, filter by user or endpoint as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10877,7 +11037,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the abuse of two undocumented registry keys that allow for a DLL to load into lsass.exe to potentially capture credentials. Upon successful modification of \CurrentControlSet\Services\NTDS\DirectoryServiceExtPt or \CurrentControlSet\Services\NTDS\LsaDbExtPt, a DLL either remote or local will be set as the value and load up into lsass.exe. Based on POC code a text file may be written to disk with credentials. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.008"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.008"], "nist": ["DE.CM"]} known_false_positives = False positives may be present on recent Windows Operating Systems. Filtering may be required based on process_name. In addition, look for non-standard, unsigned, module loads into LSASS. If query is too noisy, modify by adding Endpoint.processes process_name to query to identify the process making the modification. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10887,7 +11047,7 @@ asset_type = Endpoint confidence = medium explanation = Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL). In addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address. During triage, review file modifcations and parallel processes. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.013", "T1218"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.013", "T1218"], "nist": ["DE.CM"]} known_false_positives = False positives may be present, filter on DLL name or parent process. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10897,7 +11057,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic will identify suspicious files dropped or created in the Windows %startup% folder. This technique is a common way to gain persistence on a targeted host. Threat actor, adversaries and red teamer abuse this folder path to automatically execute their malicious sample upon boot or restart of the infected host. This TTP detection is a good indicator that a suspicious process wants to gain persistence on the targeted host. We suggest to verify the process name by using the process guid field, the file created and also the user and the computer name for further investigation. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.AE"]} known_false_positives = Administrators may allow creation of script or exe in this path. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10907,7 +11067,7 @@ asset_type = Endpoint confidence = medium explanation = The following hunting query utilizes a PowerShell Scripted input that captures the bootloader paths for each Windows endpoint it is deployed to. The template inputs.conf is located in the references link. By default, it only captures the path, but may be modified to capture everything that BCDedit provides. It can be verbose, but may be worth it. how_to_implement = To implement this analytic, a new stanza will need to be added to a inputs.conf and deployed to all or some Windows endpoints. https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707 provides the stanza. If modifying the sourcetype, be sure to update the Macro for this analytic. Recommend running it daily, or weekly, depending on threat model. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1542.001", "T1542"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1542.001", "T1542"], "nist": ["DE.AE"]} known_false_positives = No false positives here, only bootloaders. Filter as needed or create a lookup as a baseline. providing_technologies = null @@ -10917,7 +11077,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a potentially suspicious execution of the 'pkgmgr' process involving the use of an XML input file for package management. The 'pkgmgr' process, though deprecated in modern Windows systems, was historically used for managing packages. The presence of an XML input file raises concerns about the nature of the executed command and its potential impact on the system. Due to the deprecated status of 'pkgmgr' and the involvement of an XML file, this activity warrants careful investigation. XML files are commonly used for configuration and data exchange, making it crucial to ascertain the intentions and legitimacy of the command. To ensure system security, it is recommended to use up-to-date package management utilities, such as DISM or PowerShell's PackageManagement module, and exercise caution when executing commands involving potentially sensitive operations or files. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002"], "nist": ["DE.AE"]} known_false_positives = False positives may be present on recent Windows Operating Systems. Filtering may be required based on process_name. In addition, look for non-standard, unsigned, module loads into LSASS. If query is too noisy, modify by adding Endpoint.processes process_name to query to identify the process making the modification. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10927,7 +11087,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies .cab files being written to disk. Utilize this analytic as a way to hunt for suspect .cab files being written to non-standard paths and tune as needed. Cab files were recently being utilized to deliver .url files embedded. The .url files were then used to deliver malicious payloads. The search specifically looks for instances where the file name is '*.cab' and the action is 'write'. During the triage process, it is recommended to review the file path for additional artifacts that may provide further insights into the event. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001"], "nist": ["DE.AE"]} known_false_positives = False positives will only be present if a process legitimately writes a .cab file to disk. Modify the analytic as needed by file path. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10937,7 +11097,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process command line related to the discovery of cache domain credential logon count in the registry. This Technique was being abused by several post exploitation tool like Winpeas where it query CachedLogonsCount registry value in Winlogon registry. This value can be good information about the login caching setting on the Windows OS target host. A value of 0 means login caching is disable and values > 50 caches only 50 login attempts. By default all versions of Windows 10 save cached logins except Windows Server 2008. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.005", "T1003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.005", "T1003"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10947,7 +11107,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is developed to detect suspicious process commandline to change or set the default file association of a file without file extension with notepad.exe. This technique was seen in some APT and ransomware Prestige where it set/modify the default process to run file association, like .txt to notepad.exe. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.001", "T1546"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.001", "T1546"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10957,7 +11117,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a powershell script command to retrieve clipboard data. This technique was seen in several post exploitation tools like WINPEAS to steal sensitive information that was saved in clipboard. Using the Get-Clipboard powershell commandlet, adversaries can be able collect data stored in clipboard that might be a copied user name, password or other sensitive information. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1115"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1115"], "nist": ["DE.AE"]} known_false_positives = It is possible there will be false positives, filter as needed. providing_technologies = ["Microsoft Windows"] @@ -10967,7 +11127,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of reg.exe performing an add to the InProcServer32, which may be related to COM hijacking. Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.015", "T1546"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.015", "T1546"], "nist": ["DE.CM"]} known_false_positives = False positives may be present and some filtering may be required. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10977,7 +11137,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies path traversal command-line execution and should be used to tune and driver other more higher fidelity analytics. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This Hunting query is a good pivot to look for possible suspicious process and command-line that runs execute path traversal technique to run malicious code. This may help you to find possible downloaded malware or other lolbin execution. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} known_false_positives = false positive may vary depends on the score you want to check. The bigger number of path traversal string count the better. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10987,7 +11147,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies path traversal command-line execution. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This TTP is a good pivot to look for more suspicious process and command-line that runs before and after this execution. This may help you to find possible downloaded malware or other lolbin execution. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} known_false_positives = Not known at this moment. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -10997,7 +11157,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies DCRat "forkbomb" payload feature. This technique was seen in dark crystal RAT backdoor capabilities where it will execute several cmd child process executing "notepad.exe & pause". The following analytic detects the multiple cmd.exe and child process notepad.exe execution using batch script in the targeted host within 30s timeframe. this TTP can be a good pivot to check DCRat infection. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11007,7 +11167,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious process command line fetching the environment variables with a non-shell parent process. This technique was seen in qakbot malware where it fetches the environment variable in the target or compromised host. This TTP detection is a good pivot of possible malicious behavior since the command line is executed by a common non-shell process like cmd.exe , powershell.exe and many more. This can also be a good sign that the parent process has a malicious code injected to it to execute this command. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} known_false_positives = shell process that are not included in this search may cause False positive. Filter is needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11017,7 +11177,7 @@ asset_type = Endpoint confidence = medium explanation = The following correlation identifies instances where four or more distinct detection analytics are associated with malicious command line behavior that is known to be exploited by multiple threat actors, adversaries, or red teamers on a specific host. By leveraging the Command Line Interface (CLI), attackers can execute malicious commands, gain access to sensitive data, install backdoors, and engage in various nefarious activities. The impact of such compromise can be severe, as attackers may gain unauthorized control over the compromised system, enabling them to exfiltrate valuable information, escalate privileges, or launch further attacks within the network. If this detection is triggered, there is a high level of confidence in the occurrence of suspicious command line activities on the host. how_to_implement = Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1222", "T1049", "T1033", "T1529", "T1016", "T1059"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Actions on Objectives", "Installation"], "mitre_attack": ["T1222", "T1049", "T1033", "T1529", "T1016", "T1059"], "nist": ["DE.AE"]} known_false_positives = False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers. providing_technologies = null @@ -11027,7 +11187,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifes a Computer Account creating a new Computer Account with specific a Service Principle Name - "RestrictedKrbHost". The RestrictedKrbHost service class allows client applications to use Kerberos authentication when they do not have the identity of the service but have the server name. how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} known_false_positives = It is possible third party applications may have a computer account that adds computer accounts, filtering may be required. providing_technologies = ["Microsoft Windows"] @@ -11037,7 +11197,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a ComputerAccount requesting a Kerberos Ticket. typically, a user account requests a Kerberos ticket. This behavior was identified with KrbUpRelay, but additional Kerberos attacks have exhibited similar behavior. how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4768 EventCode enabled. The Windows TA is also required. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} known_false_positives = It is possible false positives will be present based on third party applications. Filtering may be needed. providing_technologies = ["Microsoft Windows"] @@ -11047,7 +11207,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies two SPNs, HOST and RestrictedKrbHost, added using the KrbRelayUp behavior. This particular behavior has been found in other Kerberos based attacks. how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} known_false_positives = It is possible third party applications may add these SPNs to Computer Accounts, filtering may be needed. providing_technologies = ["Microsoft Windows"] @@ -11057,7 +11217,7 @@ asset_type = endpoint confidence = medium explanation = The following analytic detects the unusual use of the Windows Console Host process (conhost.exe) with the undocumented --headless parameter to spawn a new process. This behavior is highly unusual and indicative of suspicious activity, as the --headless parameter is not commonly used in legitimate operations. The analytic identifies this behavior by looking for instances where conhost.exe is invoked with the --headless argument. This behavior is worth identifying for a Security Operations Center (SOC) as it could indicate an attacker's attempt to execute commands or scripts in a stealthy manner, potentially to establish persistence, perform lateral movement, or carry out other malicious activities. If a true positive is identified, it suggests that an attacker has gained a foothold in the environment and is attempting to further their attack, which could lead to serious consequences such as data exfiltration, system compromise, or deployment of ransomware. Potential false positives could arise from legitimate administrative activity, hence it is important to validate the context of the detected behavior during triage. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1564.003", "T1564.006"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003", "T1564.006"], "nist": ["DE.CM"]} known_false_positives = False positives may be present if the application is legitimately used, filter by user or endpoint as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11067,7 +11227,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a new local user account added to a computer. Note that, this should be restricted to critical assets. how_to_implement = This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/ -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"]} known_false_positives = It is possible that an administrator created the account. Verifying activity with an administrator is advised. This analytic is set to anomaly to allow for risk to be added. Filter and tune as needed. Restrict to critical infrastructure to reduce any volume. providing_technologies = null @@ -11077,7 +11237,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of CreateDump.exe being used to perform a process dump. This particular binary is not native to Windows, but is found to be brought in my many different third party applications including PowerShell 7. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} known_false_positives = False positives may be present if an application is dumping processes, filter as needed. Recommend reviewing createdump.exe usage across the fleet to better understand all usage and by what. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11087,7 +11247,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic focuses on identifying non-chrome processes that attempt to access the Chrome extensions file. This file contains crucial settings and information related to the browser's extensions installed on the computer. Adversaries and malware authors have been known to exploit this file to extract sensitive information from the Chrome browser on targeted hosts. Detecting such anomalous behavior provides valuable insights for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for access to the Chrome extensions file by non-chrome processes, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser. how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} known_false_positives = Uninstall chrome browser extension application may access this file and folder path to removed chrome installation in the target host. Filter is needed. providing_technologies = ["Microsoft Windows"] @@ -11097,7 +11257,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is designed to detect non-chrome processes accessing the Chrome user data file called "local state." This file contains important settings and information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract the encrypted master key used for decrypting passwords saved in the Chrome browser. Detecting access to the "local state" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can improve our ability to identify potential threats and safeguard sensitive information stored within the browser. how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} known_false_positives = Uninstall chrome application may access this file and folder path to removed chrome installation in target host. Filter is needed. providing_technologies = ["Microsoft Windows"] @@ -11107,7 +11267,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is designed to identify non-chrome processes accessing the Chrome user data file called "login data." This SQLite database file contains important information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract and decrypt passwords saved in the Chrome browser. Detecting access to the "login data" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser. how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} known_false_positives = Uninstall application may access this registry to remove the entry of the target application. filter is needed. providing_technologies = ["Microsoft Windows"] @@ -11117,7 +11277,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool and malware such as Darkgate malware to create stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1555"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.CM"]} known_false_positives = network administrator can use this tool for auditing process. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11127,7 +11287,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool and malware such as Darkgate malware to delete stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1555"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.CM"]} known_false_positives = network administrator can use this tool for auditing process. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11137,7 +11297,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to list stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1555"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.AE"]} known_false_positives = network administrator can use this tool for auditing process. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11147,7 +11307,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process command line related to the discovery of possible password or credentials in the registry. This technique is being abused by adversaries or post exploitation tools like winpeas to steal credentials in the registry in the targeted host. Registry can contain several sensitive information like username and credentials that can be used for privilege escalation, persistence or even in lateral movement. This Anomaly detection can be a good pivot to detect a suspicious process querying a registry related to password or private keys. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11159,7 +11319,7 @@ explanation = The following analytic identifies the use of Windows Curl.exe down -O or --output is used when a file is to be downloaded and placed in a specified location. \ During triage, review parallel processes for further behavior. In addition, identify if the download was successful. If a file was downloaded, capture and analyze. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} known_false_positives = It is possible Administrators or super users will use Curl for legitimate purposes. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11173,7 +11333,7 @@ explanation = The following analytic identifies the use of Windows Curl.exe uplo HTTP multipart formposts are done with `-F`, but this appears to not be compatible with the Windows version of Curl. Will update if identified adversary tradecraft. \ Adversaries may use one of the three methods based on the remote destination and what they are attempting to upload (zip vs txt). During triage, review parallel processes for further behavior. In addition, identify if the upload was successful in network logs. If a file was uploaded, isolate the endpoint and review. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} known_false_positives = False positives may be limited to source control applications and may be required to be filtered out. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11183,7 +11343,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious process recursively deleting files in a compromised host. This behavior was seen in several destructive malware, wiper like caddy wiper, doublezero, and now swiftslicer that delete or overwrite files with random generated strings to make it unrecoverable. This analytic can also catch a possible recursive file write on multiple files using Sysmon Event 23. Sysmon treats the modified file as a deleted one as soon as it was overwritten. This analytic can be a good indicator that a possible destructive malware is running in a host machine or a big software application is being uninstalled. how_to_implement = To successfully implement this search, you need to be ingesting logs with the deleted target file name, process name and process id from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} known_false_positives = uninstall a big software application may trigger this detection. Filter is needed. providing_technologies = null @@ -11193,7 +11353,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification to the Transcodedwallpaper file in the wallpaper theme directory to change the wallpaper of the host machine. This technique was seen in adversaries attempting to deface or change the desktop wallpaper of the targeted host. During our testing, the common process that affects or changes the wallpaper if a user changes it via desktop personalized setting is explorer.exe. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1491"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1491"], "nist": ["DE.AE"]} known_false_positives = 3rd part software application can change the wallpaper. Filter is needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11203,7 +11363,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic leverages Event ID 5136 to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs. how_to_implement = To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled. Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default. A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} known_false_positives = The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed. providing_technologies = ["Microsoft Windows"] @@ -11213,7 +11373,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic leverages the Endpoint datamodel to identify the potential edition of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the edition of the default GPOs. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} known_false_positives = The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11223,7 +11383,7 @@ asset_type = endpoint confidence = medium explanation = This detection searches for Windows Defender ASR audit events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR audit events that are generated when a process or application attempts to perform an action that would be blocked by an ASR rule, but is allowed to proceed for auditing purposes. how_to_implement = The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1566.001", "T1566.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1059", "T1566.001", "T1566.002"], "nist": ["DE.AE"]} known_false_positives = False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 1122 is generated when a process attempts to load a DLL that is blocked by an ASR rule. This can be triggered by legitimate applications that attempt to load DLLs that are not blocked by ASR rules. This is audit only. providing_technologies = null @@ -11233,7 +11393,7 @@ asset_type = endpoint confidence = medium explanation = This detection searches for Windows Defender ASR block events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR block events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned. how_to_implement = The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1566.001", "T1566.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1059", "T1566.001", "T1566.002"], "nist": ["DE.AE"]} known_false_positives = False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 1122 is generated when a process attempts to load a DLL that is blocked by an ASR rule. This can be triggered by legitimate applications that attempt to load DLLs that are not blocked by ASR rules. This is block only. providing_technologies = null @@ -11243,7 +11403,7 @@ asset_type = endpoint confidence = medium explanation = This detection searches for Windows Defender ASR registry modification events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR registry modification events that are generated when a process or application attempts to modify a registry key that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned. how_to_implement = The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = False positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. For example, Event ID 5007 is generated when a process attempts to modify a registry key that is related to ASR rules. This can be triggered by legitimate applications that attempt to modify registry keys that are not blocked by ASR rules. providing_technologies = null @@ -11253,7 +11413,7 @@ asset_type = endpoint confidence = medium explanation = The following analytic identifies when a Windows Defender ASR rule disabled events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR rule disabled events that are generated when an ASR rule is disabled. how_to_implement = The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} known_false_positives = False positives may occur if applications are typically disabling ASR rules in the environment. Monitor for changes to ASR rules to determine if this is a false positive. providing_technologies = null @@ -11264,7 +11424,7 @@ confidence = medium explanation = This hunting analytic targets a range of security events from Microsoft Defender, focusing on the Exploit Guard and Attack Surface Reduction (ASR) features. It monitors specific Event IDs - Event IDs 1121 and 1126 indicate active blocking of unauthorized operations or dangerous network connections, whereas Event IDs 1122 and 1125 represent audit logs for similar activities. Event ID 1129 shows user overrides on blocked operations. For ASR-related activities, Event IDs 1131 and 1133 signal blocked operations, while 1132 and 1134 are audit logs. Event ID 5007 alerts on configuration changes, possibly indicating security breaches. \ Additionally, the analytic utilizes a lookup to correlate ASR rule GUIDs with their descriptive names, enhancing understanding of the context behind these security alerts. This includes rules for blocking vulnerable drivers, restricting actions of Adobe Reader and Office applications, and protecting against various malware and unauthorized system changes. This comprehensive approach aids in assessing policy enforcement and potential security risks. how_to_implement = The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event. The analytic can be modified to look for specific ASR rules, or to look for specific Event IDs. EventID 5007 is a change in the registry, and may be a false positive. This can be removed from the search if desired. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566.001", "T1566.002", "T1059"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1566.001", "T1566.002", "T1059"], "nist": ["DE.AE"]} known_false_positives = False positives are not expected with this analytic, since it is a hunting analytic. It is meant to show the use of ASR rules and how they can be used to detect malicious activity. providing_technologies = null @@ -11274,7 +11434,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic will detect a suspicious process that modify a registry related to windows defender exclusion feature. This registry is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for a defense evasion and to look further for events after this behavior. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = admin or user may choose to use this windows features. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11284,7 +11444,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies potentially malicious 'netsh' processes that manipulate firewall configurations. This behavior has been observed in the NJRAT malware, which deletes its added firewall rules as part of its cleanup process. Leveraging this anomaly detection can be a valuable approach for detecting malware, such as NJRAT, that makes alterations to firewall configurations as a component of its malicious activities. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562", "T1562.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.004"], "nist": ["DE.AE"]} known_false_positives = Administrator may modify or delete firewall configuration. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11294,7 +11454,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect deletion of registry with suspicious process file path. This technique was seen in Double Zero wiper malware where it will delete all the subkey in HKLM, HKCU and HKU registry hive as part of its destructive payload to the targeted hosts. This anomaly detections can catch possible malware or advesaries deleting registry as part of defense evasion or even payload impact but can also catch for third party application updates or installation. In this scenario false positive filter is needed. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = This detection can catch for third party application updates or installation. In this scenario false positive filter is needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11304,7 +11464,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a suspicious registry modification to disable change password feature of the windows host. This registry modification may disables the Change Password button on the Windows Security dialog box (which appears when you press Ctrl+Alt+Del). As a result, users cannot change their Windows password on demand. This technique was seen in some malware family like ransomware to prevent the user to change the password after ownning the network or a system during attack. This windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, In this type of scenario filter is needed to minimized false positive. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = This windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, In this type of scenario filter is needed to minimized false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11314,7 +11474,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a suspicious registry modification to disable Lock Computer windows features. This registry modification prevent the user from locking its screen or computer that are being abused by several malware for example ransomware. This technique was used by threat actor to make its payload more impactful to the compromised host. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11324,7 +11484,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a suspicious registry modification to disable logoff feature in windows host. This registry when enable will prevent users to log off of the system by using any method, including programs run from the command line, such as scripts. It also disables or removes all menu items and buttons that log the user off of the system. This technique was seen abused by ransomware malware to make the compromised host un-useful and hard to remove other registry modification made on the machine that needs restart to take effect. This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11334,7 +11494,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process that is attempting to disable the ability on Windows to generate a memory crash dump. This was recently identified being utilized by HermeticWiper. To disable crash dumps, the value must be set to 0. This feature is typically modified to perform a memory crash dump when a computer stops unexpectedly because of a Stop error (also known as a blue screen, system crash, or bug check). how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` and `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11344,7 +11504,7 @@ asset_type = Endpoint confidence = medium explanation = The following search identifies a modification of registry to disable the windows notification center feature in a windows host machine. This registry modification removes notification and action center from the notification area on the task bar. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = admin or user may choose to disable this windows features. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11354,7 +11514,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is designed to identify potentially malicious processes that terminate other processes using taskkill.exe. This technique has been observed in various malware instances, employed by adversaries and red teamers alike, to forcibly terminate other processes whether they be security products or other legitimate applications as part of their malicious activities. Detecting this anomaly serves as a valuable alert mechanism to identify suspicious processes or malware attempting to evade detection and disrupt system stability. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562", "T1562.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.001"], "nist": ["DE.AE"]} known_false_positives = Network administrator can use this application to kill process during audit or investigation. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11364,7 +11524,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a suspicious registry modification to disable shutdown button on the logon user. This technique was seen in several malware especially in ransomware family like killdisk malware variant to make the compromised host un-useful and hard to remove other registry modification made on the machine that needs restart to take effect. This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11374,7 +11534,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies AppCmd.exe being utilized to disable HTTP logging on IIS. Adversaries may perform this action to disable logging and delete the logs so remove any trace or events on disk. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.002", "T1562", "T1505", "T1505.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1562.002", "T1562", "T1505", "T1505.004"], "nist": ["DE.CM"]} known_false_positives = False positives may be present only if scripts or Administrators are disabling logging. Filter as needed by parent process or other. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11384,7 +11544,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a suspicious registry modification to disable windows features. These techniques are seen in several ransomware malware to impair the compromised host to make it hard for analyst to mitigate or response from the attack. Disabling these known features make the analysis and forensic response more hard. Disabling these feature is not so common but can still be implemented by the administrator for security purposes. In this scenario filters for users that are allowed doing this is needed. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = Disabling these features for legitimate purposes is not a common use case but can still be implemented by the administrators. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11394,7 +11554,7 @@ asset_type = Endpoint confidence = medium explanation = The search looks for the Registry Key DisableAntiSpyware set to disable. This is consistent with Ryuk infections across a fleet of endpoints. This particular behavior is typically executed when an ransomware actor gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11404,7 +11564,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies DiskCryptor process name of dcrypt.exe or internal name dcinst.exe. This utility has been utilized by adversaries to encrypt disks manually during an operation. In addition, during install, a dcrypt.sys driver is installed and requires a reboot in order to take effect. There are no command-line arguments used. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} known_false_positives = It is possible false positives may be present based on the internal name dcinst.exe, filter as needed. It may be worthy to alert on the service name. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11414,7 +11574,7 @@ asset_type = Endpoint confidence = medium explanation = DiskShadow.exe is a Microsoft Signed binary present on Windows Server. It has a scripting mode intended for complex scripted backup operations. This feature also allows for execution of arbitrary unsigned code. This analytic looks for the usage of the scripting mode flags in executions of DiskShadow. During triage, compare to known backup behavior in your environment and then review the scripts called by diskshadow. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218"], "nist": ["DE.CM"]} known_false_positives = Administrators using the DiskShadow tool in their infrastructure as a main backup tool with scripts will cause false positives that can be filtered with `windows_diskshadow_proxy_execution_filter` providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11424,7 +11584,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of the Windows Disk Image Utility, `dism.exe`, to remove Windows Defender. Adversaries may use `dism.exe` to disable Defender before completing their objective. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = Some legitimate administrative tools leverage `dism.exe` to manipulate packages and features of the operating system. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11434,7 +11594,7 @@ asset_type = Endpoint confidence = medium explanation = The following hunting analytic is an experimental query built against a accidental feature using the latest Sysmon TA 3.0 (https://splunkbase.splunk.com/app/5709/) which maps the module load (ImageLoaded) to process_name. This analytic will deprecate once this is fixed. This hunting analytic identifies known libraries in Windows that may be used in a DLL search order hijack or DLL Sideloading setting. This may require recompiling the DLL, moving the DLL or moving the vulnerable process. The query looks for any running out of system32 or syswow64. Some libraries natively run out of other application paths and will need to be added to the exclusion as needed. The lookup is comprised of Microsoft native libraries identified within the Hijacklibs.net project. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1574.001", "T1574"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001", "T1574"], "nist": ["DE.AE"]} known_false_positives = False positives will be present based on paths. Filter or add other paths to the exclusion as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11444,7 +11604,7 @@ asset_type = Endpoint confidence = medium explanation = The following hunting analytic is query built against a accidental feature using the latest Sysmon TA 3.0 (https://splunkbase.splunk.com/app/5709/) which maps the module load (ImageLoaded) to process_name. This analytic will deprecate once this is fixed. This hunting analytic identifies known libraries in Windows that may be used in a DLL search order hijack or DLL Sideloading setting. This may require recompiling the DLL, moving the DLL or moving the vulnerable process. The query looks for any running out of system32 or syswow64. Some libraries natively run out of other application paths and will need to be added to the exclusion as needed. The lookup is comprised of Microsoft native libraries identified within the Hijacklibs.net project. how_to_implement = The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1574.001", "T1574"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001", "T1574"], "nist": ["DE.AE"]} known_false_positives = False positives will be present based on paths. Filter or add other paths to the exclusion as needed. providing_technologies = null @@ -11454,7 +11614,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a recently disclosed search ordler DLL hijack in iscsicpl.exe. The malicious DLL must be in a new path and iscsicpl.exe, upon load, will execute the payload. The analytic is restricted to Windows shells. Two proof of concepts were identified and utilized to determine the behavior. The command-line is an option to go after, but most likely identifying a child process off iscsicpl.exe will be more effective. Monitoring for suspicious DLL loads is also an option. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1574.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001"], "nist": ["DE.CM"]} known_false_positives = False positives may be present, filtering may be required. Remove the Windows Shells macro to determine if other utilities are using iscsicpl.exe. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11464,7 +11624,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies suspicious DLL modules loaded by calc.exe that are not in windows %systemroot%\system32 or %systemroot%\sysWoW64 folder. This technique is well used by Qakbot malware to execute its malicious DLL file via dll side loading technique in calc process execution. This TTP detection is a good indicator that a suspicious dll was loaded in a public or non-common installation folder of Windows Operating System that needs further investigation. how_to_implement = To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -11474,7 +11634,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the suspicious child process of calc.exe due to dll side loading technique to execute another executable. This technique was seen in qakbot malware that uses dll side loading technique to calc applications to load its malicious dll code. The malicious dll that abuses dll side loading technique will load the actual qakbot loader dll using regsvr32.exe application. This TTP is a good indicator of qakbot since the calc.exe will not load other child processes aside from win32calc.exe. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11484,7 +11644,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process command line used to enumerate DNS records. Adversaries, threat actors, or red teamers may employ this technique to gather information about a victim's DNS, which can be utilized during targeting. This method was also observed as part of a tool used by the Sandworm APT group in a geopolitical cyber warfare attack. By using the dnscmd.exe Windows application, an attacker can enumerate DNS records for specific domains within the targeted network, potentially aiding in further attacks. This anomaly detection can serve as a valuable starting point for identifying users and hostnames that may be compromised or targeted by adversaries seeking to collect data information. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1590.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1590.002"], "nist": ["DE.AE"]} known_false_positives = network administrator can execute this command to enumerate DNS record. Filter or add other paths to the exclusion as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11494,7 +11654,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic leverages Event ID 4732 to identify the addition of a new member to the DnsAdmins group within Active Directory. . Members of the DnsAdmin group can manage the DNS service which most of the times runs on the Domain Controller. By abusing legitimate DNS management functionality, a member of the DnsAdmins group can escalate privileges by executing malicious code on a Domain Controller as SYSTEM. Security teams should monitor the modification of the DnsAdmins group and validate the changes are legitimate. how_to_implement = To successfully implement this search, Domain Controller events need to be ingested. The Advanced Security Audit policy setting `Audit Security Group Management` within `Account Management` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} known_false_positives = New members can be added to the DnsAdmins group as part of legitimate administrative tasks. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -11504,7 +11664,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetComputer. This technique was seen used in the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user account's "samccountname", "accountexpires", "lastlogon" and so on. This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.AE"]} known_false_positives = Administrators may leverage PowerView for legitimate purposes, filter as needed. providing_technologies = ["Microsoft Windows"] @@ -11514,7 +11674,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies potential Kerberos ticket forging attacks, specifically the Diamond Ticket attack. This is detected when a user logs into a host and the GroupMembership field in event 4627 indicates a privileged group (e.g., Domain Admins), but the user does not actually belong to that group in the directory service. The detection leverages Windows Security Event Log 4627, which logs account logon events. The analytic cross-references the GroupMembership field from the event against a pre-populated lookup of actual group memberships. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. Any discrepancies between the events GroupMembership and the lookup indicate potential ticket forging. Kerberos ticket forging, especially the Diamond Ticket attack, allows attackers to impersonate any user and potentially gain unauthorized access to resources. By forging a ticket that indicates membership in a privileged group, an attacker can bypass security controls and gain elevated privileges. Detecting such discrepancies in group memberships during logon events can be a strong indicator of this attack in progress, making it crucial for security teams to monitor and investigate. If validated as a true positive, this indicates that an attacker has successfully forged a Kerberos ticket and may have gained unauthorized access to critical resources, potentially with elevated privileges. how_to_implement = To successfully implement this search, you need to be ingesting Authentication events across all endpoints and ingest Event Id 4627. Specifically, the Audit Group Membership subcategory within the Logon Logooff category needs to be enabled. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} known_false_positives = False positives may trigger the detections certain scenarios like directory service delays or out of date lookups. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -11524,7 +11684,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies native .net binaries within the Windows operating system that may be abused by adversaries by moving it to a new directory. The analytic identifies the .net binary by using a lookup and compares the process name and original file name (internal name). The analytic utilizes a lookup with the is_net_windows_file macro to identify the binary process name and original file name. if one or the other matches an alert will be generated. Adversaries abuse these binaries as they are native to windows and native DotNet. Note that not all SDK (post install of Windows) are captured in the lookup. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1036", "T1036.003", "T1218", "T1218.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003", "T1218", "T1218.004"], "nist": ["DE.CM"]} known_false_positives = False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application in use. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11534,7 +11694,7 @@ asset_type = endpoint confidence = medium explanation = The following hunting / inventory query assists defenders in identifying Drivers being loaded across the fleet. This query relies upon a PowerShell script input to be deployed to critical systems and beyond. If capturing all via the input, this will provide retrospection into drivers persisting. Note, that this is not perfect across a large fleet. Modify the query as you need to view the data differently. how_to_implement = To capture the drivers by host, utilize the referenced Gist to create the inputs, props and transforms. Otherwise, this hunt query will not work. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1068"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.AE"]} known_false_positives = Filter and modify the analytic as you'd like. Filter based on path. Remove the system32\drivers and look for non-standard paths. providing_technologies = null @@ -11544,7 +11704,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic uses Windows EventCode 7045 to identify new Kernel Mode Drivers being loaded in Windows from a non-standard path. Note that, adversaries may move malicious or vulnerable drivers into these paths and load up. The idea is that this analytic provides visibility into drivers loading in non-standard file paths. how_to_implement = To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1014", "T1068"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1014", "T1068"], "nist": ["DE.CM"]} known_false_positives = False positives may be present based on legitimate third party applications needing to install drivers. Filter, or allow list known good drivers consistently being installed in these paths. providing_technologies = null @@ -11554,7 +11714,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic assists with viewing all drivers being loaded by using Sysmon EventCode 6 (Driver Load). Sysmon provides some simple fields to assist with identifying suspicious drivers. Use this analytic to look at prevalence of driver (count), path of driver, signature status and hash. Review these fields with scrutiny until the ability to prove the driver is legitimate and has a purpose in the environment. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have the latest version of the Sysmon TA. Most EDR products provide the ability to review driver loads, or module loads, and using a query as such help with hunting for malicious drivers. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1014", "T1068"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1014", "T1068"], "nist": ["DE.AE"]} known_false_positives = This analytic is meant to assist with identifying drivers loaded in the environment and not to be setup for notables off the bat. providing_technologies = null @@ -11564,7 +11724,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic searches for a registry modification that enables the use of the at.exe or wmi Win32_ScheduledJob command to add scheduled tasks on a Windows endpoint. Specifically, it looks for the creation of a new DWORD value named "EnableAt" in the following registry path: "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration". If this value is set to 1, it enables the at.exe and wmi Win32_ScheduledJob commands to schedule tasks on the system. Detecting this registry modification is important because it may indicate that an attacker has enabled the ability to add scheduled tasks to the system, which can be used to execute malicious code at specific times or intervals. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.005"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005"], "nist": ["DE.AE"]} known_false_positives = In some cases, an automated script or system may enable this setting continuously, leading to false positives. To avoid such situations, it is recommended to monitor the frequency and context of the registry modification and modify or filter the detection rules as needed. This can help to reduce the number of false positives and ensure that only genuine threats are identified. Additionally, it is important to investigate any detected instances of this modification and analyze them in the broader context of the system and network to determine if further action is necessary. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11574,7 +11734,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic will identify suspicious system event of services that was modified from start to disabled. This technique is seen where the adversary attempts to disable security app services, other malware services to evade the defense systems on the compromised host how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} known_false_positives = Windows service update may cause this event. In that scenario, filtering is needed. providing_technologies = null @@ -11584,7 +11744,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes Windows Security Event ID 1102 or System log event 104 to identify when a Windows event log is cleared. Note that this analytic will require tuning or restricted to specific endpoints based on criticality. During triage, based on time of day and user, determine if this was planned. If not planned, follow through with reviewing parallel alerts and other data sources to determine what else may have occurred. how_to_implement = To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"]} known_false_positives = It is possible that these logs may be legitimately cleared by Administrators. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -11594,7 +11754,7 @@ asset_type = Endpoint confidence = medium explanation = The following hunting analytic identifies EventCode 3000 in Application channel indicating a process exit. This behavior is based on process names being added to the Image File Execution Options under HKLM \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ and \SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit. Once these are set for a process, an eventcode 3000 will generate. The example used is from Thinkst Canary where a CanaryToken is setup to monitor for a commonly abused living off the land binary (ex. Klist.exe) and generate an event when it occurs. This can be seen as settings traps to monitor for suspicious behavior. Monitor and tune this hunting analytic and setup traps across your organization and begin monitoring. how_to_implement = This analytic requires capturing the Windows Event Log Application channel in XML. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.012"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.012"], "nist": ["DE.AE"]} known_false_positives = False positives may be present and tuning will be required before turning into a TTP or notable. providing_technologies = null @@ -11604,7 +11764,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic will identify suspicious excessive number of system events of services that was modified from start to disabled. This technique is seen where the adversary attempts to disable security app services, other malware services oer serve as an destructive impact to complete the objective on the compromised system. One good example for this scenario is Olympic destroyer where it disable all active services in the compromised host as part of its destructive impact and defense evasion. how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = Unknown providing_technologies = null @@ -11614,7 +11774,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies potentially malicious 'ImageLoaded' events, particularly when they involve executable files. This behavior was observed in NjRAT instances, where, during each instance of loading a module from its C2 server onto the compromised host, Sysmon recorded the path of the actual Image or Process as an 'ImageLoaded' event, rather than the typical tracking of dynamically loaded DLL modules in memory. This event holds significance because it tracks processes that load modules and libraries, which are typically in the .dll format rather than .exe. Leveraging this 'Time-To-Perform' (TTP) detection method can prove invaluable for the identification of NjRAT malware or other malicious software instances that introduce executable files as modules within a targeted host. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1129"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1129"], "nist": ["DE.CM"]} known_false_positives = unknown. providing_technologies = null @@ -11624,7 +11784,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a recently disclosed arbitraty command execution using Windows msdt.exe - a Diagnostics Troubleshooting Wizard. The sample identified will use the ms-msdt:/ protocol handler to load msdt.exe to retrieve a remote payload. During triage, review file modifications for html. Identify parallel process execution that may be related, including an Office Product. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218"], "nist": ["DE.CM"]} known_false_positives = False positives may be present, filter as needed. Added .xml to potentially capture any answer file usage. Remove as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11634,7 +11794,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the potential exfiltration of data using PowerShell's Invoke-RestMethod. This technique was observed in the Winter-Vivern malware, which uploads desktop screenshots and files from compromised or targeted hosts. Detecting this TTP can serve as a valuable indicator that a process is attempting to upload files to an external or internal URI link. We recommend examining the process, the files it is trying to upload, and the URL link or C2 destination where the data is being uploaded. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1041"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1041"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -11644,7 +11804,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies potential data exfiltration using the PowerShell net.webclient command. This technique was observed in the Winter-Vivern malware, which uploads desktop screenshots and files from compromised or targeted hosts. Detecting this TTP can serve as a valuable indicator that a process is attempting to upload files to an external or internal URI link. We recommend examining the process, the files it is trying to upload, and the URL link or C2 destination where the data is being uploaded. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1041"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1041"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -11654,7 +11814,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies when a certificate is exported from the Windows Certificate Store. This analytic utilizes the Certificates Lifecycle log channel event ID 1007. EventID 1007 is focused on the Export of a certificate from the local certificate store. In addition, review the ProcessName field as it will help to determine automation/Admin or adversary extracting the certificate. Depending on the organization, the certificate may be used for authentication to the VPN or private resources. how_to_implement = To implement this analytic, you must collect Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational or Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1552.004", "T1552", "T1649"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.004", "T1552", "T1649"], "nist": ["DE.AE"]} known_false_positives = False positives may be generated based on an automated process or service that exports certificates on the regular. Review is required before setting to alert. Monitor for abnormal processes performing an export. providing_technologies = null @@ -11664,7 +11824,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of the Invoke-ShareFinder PowerShell commandlet part of PowerView. This module obtains the list of all active domain computers and lists the active shares on each computer. Network file shares in Active Directory environments may contain sensitive information like backups, scripts, credentials, etc. Adversaries who have obtained a foothold in an AD network may leverage PowerView to identify secrets and leverage them for Privilege Escalation or Lateral Movement. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1135"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1135"], "nist": ["DE.CM"]} known_false_positives = Security teams may leverage PowerView proactively to identify and remediate sensitive file shares. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -11674,7 +11834,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a possible windows application having a FTP connection in a non common installation path in windows operating system.This network protocol is being used by adversaries, threat actors and malware like AgentTesla as a Command And Control communication to transfer its collected stolen information like the desktop screenshots, browser information and system information of a targeted or compromised host. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 3 connection events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1071.003", "T1071"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.003", "T1071"], "nist": ["DE.AE"]} known_false_positives = third party application may use this network protocol as part of its feature. Filter is needed. providing_technologies = null @@ -11684,7 +11844,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to look for suspicious file creation in the critical folder like "System32\Drivers" folder without file extension. This artifacts was seen in latest hermeticwiper where it drops its driver component in Driver Directory both the compressed(without file extension) and the actual driver component (with .sys file extension). This TTP is really a good indication that a host might be compromised by this destructive malware that wipes the boot sector of the system. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} known_false_positives = Unknown at this point providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11694,7 +11854,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious registry modification associated with NjRat, a telltale sign of its fileless technique. NjRat employs this method to manage its keylogs and execute downloaded DLL module plugins discreetly on the compromised host. This approach is particularly effective at evading conventional file-based detection systems, as it stores indicators of compromise (IOCs) in the registry. Leveraging this TTP (Tactics, Techniques, and Procedures) detection can significantly enhance the identification of NjRAT infections. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1027.011", "T1027"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027.011", "T1027"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11704,7 +11864,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic aims to identify potential adversaries who manipulate the security permissions of specific files or directories. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. By modifying the security permissions, adversaries seek to evade detection and impede access to their component files. Such actions indicate a deliberate effort to maintain control over compromised systems and hinder investigation or remediation efforts. Detecting these security permission changes can serve as a valuable indicator of an ongoing attack and enable timely response to mitigate the impact of the adversary's activities. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1222.001", "T1222"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222.001", "T1222"], "nist": ["DE.CM"]} known_false_positives = Unknown. It is possible some administrative scripts use ICacls. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11714,7 +11874,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-DomainOU` commandlet. `Get-DomainOU` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Identifying the use of `Get-DomainOU` is crucial as adversaries and Red Teams might employ it to gain insights into organizational units within Active Directory, potentially aiding in lateral movement or privilege escalation strategies. how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} known_false_positives = Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. providing_technologies = ["Microsoft Windows"] @@ -11724,7 +11884,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-InterestingDomainAcl` commandlet. `Find-InterestingDomainAcl` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Find-InterestingDomainAcl` is crucial as adversaries and Red Teams might employ it to identify unusual or misconfigured Access Control Lists (ACLs) within the domain. Such ACLs can provide attackers with insights into potential privilege escalation opportunities or weak security postures within Active Directory. how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} known_false_positives = Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. providing_technologies = ["Microsoft Windows"] @@ -11734,7 +11894,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of the findstr command employed to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1552", "T1552.006"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552", "T1552.006"], "nist": ["DE.CM"]} known_false_positives = Administrators may leverage findstr to find passwords in GPO to validate exposure. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11744,7 +11904,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic utilizes PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-ForestDomain` commandlet. `Get-ForestDomain` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Get-ForestDomain` is essential as adversaries and Red Teams might employ it to gain insights into the forest and domain configurations of an Active Directory environment. Such information can provide attackers with a broader understanding of the domain structure and potential avenues for lateral movement or privilege escalation. how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} known_false_positives = Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. providing_technologies = ["Microsoft Windows"] @@ -11754,7 +11914,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects a powershell script that enumerate camera mounted to the targeted host. This technique was seen in DCRat malware, where it runs a powershell command to look for camera information that will be pass on to its C2 server. This anomaly detection can be a good pivot to check who and why this enumeration is needed and what parent process execute this powershell script command. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1592.001", "T1592"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592.001", "T1592"], "nist": ["DE.AE"]} known_false_positives = Administrators may execute this powershell command to get hardware information related to camera on $dest$. providing_technologies = ["Microsoft Windows"] @@ -11764,7 +11924,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process that loads the samlib.dll module. This module is being abused by adversaries, threat actors and red teamers to access information of SAM objects or access credentials information in DC. This hunting query can be a good indicator that a process is capable of accessing the SAM object. how_to_implement = The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1589.001", "T1589"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1589.001", "T1589"], "nist": ["DE.AE"]} known_false_positives = this module can be loaded by a third party application. Filter is needed. providing_technologies = null @@ -11774,7 +11934,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies process that attempts to connect to a known IP web services. This technique is commonly used by trickbot and other malware to perform reconnaissance against the infected machine and look for its IP address. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1590.005", "T1590"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1590.005", "T1590"], "nist": ["DE.AE"]} known_false_positives = Filter internet browser application to minimize the false positive of this detection. providing_technologies = null @@ -11784,7 +11944,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the Get-ADComputer commandlet used with specific parameters to discover Windows endpoints with Kerberos Unconstrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery. how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may leverage PowerView for system management or troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -11794,7 +11954,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-LocalAdminAccess` commandlet. `Find-LocalAdminAccess` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Find-LocalAdminAccess` is vital as adversaries and Red Teams might employ it to identify machines where the current user context has local administrator access. Such information can provide attackers with potential targets for lateral movement or privilege escalation within the network. how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} known_false_positives = Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed. providing_technologies = ["Microsoft Windows"] @@ -11804,7 +11964,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic leverages Event IDs 5136 and 51137 to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. Security teams should monitor the creation of new Group Policy Objects. how_to_implement = To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled. Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default. A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1484", "T1484.001", "T1078.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1484", "T1484.001", "T1078.002"], "nist": ["DE.CM"]} known_false_positives = Group Policy Objects are created as part of regular administrative operations, filter as needed. providing_technologies = ["Microsoft Windows"] @@ -11814,7 +11974,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects creation of hidden scheculed tasks such that it this task is not visible on the UI. Such behavior is indicative of certain malware, such as Industroyer2, or attacks leveraging living-off-the-land binaries (LOLBINs) to download additional payloads to a compromised machine. This analytic relies on the Windows Security EventCode 4698, indicating the creation of a scheduled task. The search focuses on identifying instances where the 'Hidden' setting is enabled, signaling potential nefarious activity. To implement this search, you need to ingest logs with task scheduling details from your endpoints. As false positives are currently unknown, it is advised to tune and filter based on the known use of task scheduling in your environment. This analytic provides crucial visibility into stealthy, potentially harmful scheduled tasks on Windows systems. how_to_implement = To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Microsoft Windows"] @@ -11824,7 +11984,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a suspicious registry modification to hide common windows notification feature from compromised host. This technique was seen in some ransomware family to add more impact to its payload that are visually seen by user aside from the encrypted files and ransomware notes. Even this a good anomaly detection, administrator may implement this changes for auditing or security reason. In this scenario filter is needed. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11834,7 +11994,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for high frequency of file deletion relative to process name and process id. These events usually happen when the ransomware tries to encrypt the files with the ransomware file extensions and sysmon treat the original files to be deleted as soon it was replace as encrypted data. how_to_implement = To successfully implement this search, you need to be ingesting logs with the deleted target file name, process name and process id from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} known_false_positives = user may delete bunch of pictures or files in a folder. providing_technologies = null @@ -11844,7 +12004,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a process loading version.dll that is not in %windir%\\system32 or %windir%\\syswow64 dir path. This event is seen in ransomware and APT malware that executes malicious version.dll placed in the same folder of onedrive application that will execute that module. This technique is known to be DLL side loading. This technique was used to execute an agent of Brute Ratel C4 red teaming tools to serve as remote admin tool to collect and compromise target host. how_to_implement = The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1574.001", "T1574"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.001", "T1574"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -11854,7 +12014,7 @@ asset_type = Endpoint confidence = medium explanation = The following hunting analytic identifies all processes requesting access into Lsass.exe. his behavior may be related to credential dumping or applications requiring access to credentials. Triaging this event will require understanding the GrantedAccess from the SourceImage. In addition, whether the account is privileged or not. Review the process requesting permissions and review parallel processes. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.AE"]} known_false_positives = False positives will occur based on GrantedAccess and SourceUser, filter based on source image as needed. Utilize this hunting analytic to tune out false positives in TTP or anomaly analytics. providing_technologies = null @@ -11864,7 +12024,7 @@ asset_type = Endpoint confidence = medium explanation = The following hunting analytic will identify any protocol handlers utilized on the command-line. A protocol handler is an application that knows how to handle particular types of links: for example, a mail client is a protocol handler for "mailto:" links. When the user clicks a "mailto:" link, the browser opens the application selected as the handler for the "mailto:" protocol (or offers them a choice of handlers, depending on their settings). To identify protocol handlers we can use NirSoft https://www.nirsoft.net/utils/url_protocol_view.html URLProtocolView or query the registry using PowerShell. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} known_false_positives = False positives will be found. https and http is a URL Protocol handler that will trigger this analytic. Tune based on process or command-line. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11874,7 +12034,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the process AppCmd.exe installing a new module into IIS. AppCmd is a utility to manage IIS web sites and App Pools. An adversary may run this command to install a webshell or backdoor. This has been found to be used for credit card scraping, persistence, and further post-exploitation. An administrator may run this to install new modules for a web site or during IIS updates. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.AE"]} known_false_positives = False positives may be present until properly tuned. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11884,7 +12044,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic requires the use of PowerShell inputs to run Get-WebGlobalModule to list out all the IIS Modules installed. The output is a list of Module names and the Image path of the DLL. how_to_implement = You must ingest the PwSh cmdlet Get-WebGlobalModule in order to utilize this analytic. Follow https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1505.004", "T1505"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505.004", "T1505"], "nist": ["DE.AE"]} known_false_positives = This analytic is meant to assist with hunting modules across a fleet of IIS servers. Filter and modify as needed. providing_technologies = null @@ -11894,7 +12054,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes EventCode 2282 which generates when a Module DLL could not be loaded due to a configuration problem. This typically occurs when a IIS module is installed but is failing to load. This typically results in thousands of events until the issue is resolved. Review the module that is failing and determine if it is legitimate or not. how_to_implement = IIS must be installed and Application event logs must be collected in order to utilize this analytic. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.AE"]} known_false_positives = False positives will be present until all module failures are resolved or reviewed. providing_technologies = null @@ -11904,7 +12064,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic uses the Windows Event log - Microsoft-IIS-Configuration/Operational - which must be enabled and logged on Windows IIS servers before it can be Splunked. The following analytic identifies newly installed IIS modules. Per Microsoft, IIS modules are not commonly added to a production IIS server, so alerting on this event ID should be enabled.IIS modules can be installed at a global level or at a site level. In detecting malicious IIS modules, it is important to check both the global and site level for unauthorized modules. Regular monitoring of these locations for such modules and comparing against a known good list can help detect and identify malicious IIS modules. how_to_implement = You must enabled the IIS Configuration Operational log before ingesting in Splunk. Setup and inputs may be found here https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.CM"]} known_false_positives = False positives may be present when updates or an administrator adds a new module to IIS. Monitor and filter as needed. providing_technologies = null @@ -11914,7 +12074,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic is to identify a process that imports applocker xml policy using PowerShell commandlet. This technique was seen in Azorult malware where it drop an xml Applocker policy that will deny several AV products and further executed the PowerShell Applocker commandlet. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} known_false_positives = Administrators may execute this command that may cause some false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11924,7 +12084,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to change the health check interval of Windows Defender. Specifically, a value of 1 typically signifies that Windows Defender would perform health checks at a much higher frequency than the default settings. However, it's important to note that modifying this value to 1 might not necessarily conform to the actual behavior, as certain registry settings may have specific accepted values or a defined range that differs from a simple binary representation. Changing registry values, especially those related to system services, should be approached cautiously. Incorrect modifications can potentially impact system stability or performance. Always ensure you understand the implications and have a backup before altering registry settings. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11934,7 +12094,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to change Windows Defender Quick Scan Interval. The "QuickScanInterval" in Windows Defender, specifically within the context of antivirus software, typically refers to the interval or frequency at which the system conducts quick scans for malware or potential threats. This setting dictates how often Windows Defender performs quick scans on the system. Quick scans are less comprehensive than full system scans but provide a faster way to check critical areas for potential threats or malware. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11944,7 +12104,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to change the ThrottleDetectionEventsRate of Windows Defender. The ThrottleDetectionEventsRate registry setting in Windows Defender is related to controlling the rate at which detection events are logged or reported by Windows Defender Antivirus. This registry setting determines how frequently Windows Defender logs or reports detection events. Adjusting the ThrottleDetectionEventsRate value can impact the logging frequency of detection events such as malware detections, scanning results, or security-related events recorded by Windows Defender. A higher value might mean that detection events are reported less frequently, potentially reducing the volume of recorded events, while a lower value could increase the reporting frequency, resulting in more frequent logs of detection events. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11954,7 +12114,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to change the Windows Defender Wpp Tracing levels. The "WppTracingLevel" registry setting is typically related to Windows software tracing and diagnostics, specifically involving Windows Software Trace Preprocessor (WPP) tracing. WPP tracing is a mechanism used by developers to instrument code for diagnostic purposes, allowing for the collection of detailed logs and traces during software execution. It helps in understanding the behavior of the software, identifying issues, and analyzing its performance. Without specific documentation or references to "WppTracingLevel" within Windows Defender settings or its functionalities, it's challenging to provide precise details about its intended use or configuration within Windows Defender. Modifying registry settings without understanding their implications can affect system behavior or security. Always proceed cautiously and ensure changes align with best practices and organizational requirements. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11964,7 +12124,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to change or disable Windows Defender smartscreen app install control. Microsoft Edge's App Install Control feature helps manage the installation of web-based applications. When attackers modify "ConfigureAppInstallControlEnabled" to 0, they are likely attempting to disable the App Install Control feature in Microsoft Edge. This change might allow users to bypass restrictions imposed by the browser on the installation of web-based applications. Disabling this feature might increase the risk of users being able to install potentially malicious or untrusted web applications without restrictions or controls imposed by the browser. This action could potentially lead to security vulnerabilities or compromise if users inadvertently install harmful applications. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11974,7 +12134,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to define the threat action of Windows Defender. The ThreatSeverityDefaultAction registry setting in Windows Defender is used to define the default action taken by Windows Defender when it encounters threats of specific severity levels. A setting like ThreatSeverityDefaultAction is designed to define how Windows Defender responds to threats based on their severity. For example, it might determine whether Windows Defender quarantines, removes, or takes other actions against threats based on their severity levels. In this context, a registry value of 1 typically indicates an action to "clean," aiming to disinfect or resolve the detected threat, while a registry value of 9 signifies "no action," meaning that the antivirus software refrains from taking immediate steps against the identified threat. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11984,7 +12144,7 @@ asset_type = Endpoint confidence = medium explanation = The search looks for the deletion of Windows Defender context menu within the registry. This is consistent behavior with RAT malware across a fleet of endpoints. This particular behavior is executed when an adversary gains access to an endpoint and begins to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11994,7 +12154,7 @@ asset_type = Endpoint confidence = medium explanation = The search looks for the deletion of Windows Defender main profile within the registry. This was used by RAT malware across a fleet of endpoints. This particular behavior is typically executed when an adversary gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12004,7 +12164,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry by the Applocker utility that contains details or registry data values related to denying the execution of several security products. This technique was seen in Azorult malware where it drops an xml Applocker policy that will deny several AV products and then loaded by using PowerShell Applocker commandlet. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = False positives may be present based on organization use of Applocker. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12014,7 +12174,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to disable Windows Defender Controlled Folder Access feature. The EnableControlledFolderAccess registry setting is associated with the Controlled Folder Access feature in Windows Defender. Controlled Folder Access is a security feature designed to protect certain folders from unauthorized access or modification by malicious applications, including ransomware. When EnableControlledFolderAccess is set to 0, it usually indicates that the Controlled Folder Access feature within Windows Defender is not active. Consequently, the protection mechanism for the specified folders against unauthorized access by potentially malicious applications or ransomware is not enabled. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12024,7 +12184,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to disable firewall and network protection section settings of windows security. The specific impact of this change depends on the context and the purpose behind modifying this registry value. In general, setting UILockdown to 1 might imply enforcing a restriction or lockdown in the user interface (UI) related to firewall and network protection settings within Windows Defender Security Center. This could potentially restrict users from modifying certain firewall or network protection settings through the UI. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12034,7 +12194,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to disable Windows Defender protocol recognition feature. The DisableProtocolRecognition setting in Windows Defender is not a commonly known or documented registry setting. It's possible that this specific setting might not exist within the standard Windows Defender configurations or that it might be specific to certain environments, versions, or configurations. It might potentially control or influence the antivirus software's ability to recognize and handle specific protocols or communication methods used by malware or suspicious software. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12044,7 +12204,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to disable Windows Defender PUA protection. Setting PUAProtection to 0 typically disables the detection and protection against Potentially Unwanted Applications by Microsoft Defender Antivirus. Potentially Unwanted Applications include software that may not be inherently malicious but could exhibit behaviors that users may find undesirable, such as adware, browser toolbars, or software bundlers. Disabling this feature might be preferred in certain situations, but it's essential to consider potential security implications. Enabling PUA protection provides an additional layer of defense against software that might negatively impact user experience or security. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12054,7 +12214,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to disable windows defender realtime signature delivery feature. This setting governs how Windows Defender Antivirus receives updated signature definitions for identifying and combating malware threats in real-time. The actual impact and behaviors associated with different values for RealtimeSignatureDelivery can vary based on specific Windows Defender configurations and policies. For instance, setting this value to 0 or 1 might control whether real-time signatures are delivered via different methods such as through Windows Update or directly from Microsoft's cloud-based services. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12064,7 +12224,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to disable Windows Defender web content evaluation. The "EnableWebContentEvaluation" registry entry typically relates to security settings within Microsoft Edge or Internet Explorer, enabling the evaluation of web content for security purposes. When attackers modify "EnableWebContentEvaluation" to 0, they might attempt to disable the browser's capability to evaluate web content for security purposes. Disabling this feature could potentially impact the browser's ability to assess the security risks associated with web content, such as potentially malicious scripts, active content, or unsafe web elements. By turning off content evaluation, attackers might aim to exploit security vulnerabilities present in web content without triggering security warnings or blocks. This manipulation increases the risk of users accessing or interacting with malicious content, potentially leading to security compromises or system exploitation. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12074,7 +12234,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to disable Windows Defender audit application guard. Microsoft Defender Application Guard provides enhanced security by isolating potentially malicious documents and websites in a containerized environment, protecting the system against various threats. Auditing and logging are essential components of security measures, providing visibility into activities within the isolated environment. Disabling auditing events within Application Guard might not be a standard or recommended practice since auditing is crucial for security monitoring and threat detection within the isolated container. However, there might be settings or configurations related to audit policies in the broader Windows Defender or operating system settings. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12084,7 +12244,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to disable Windows Defender file hashes computation. The EnableFileHashComputation registry setting likely pertains to whether Windows Defender's MpEngine (Malware Protection Engine) computes file hashes. Setting this value to 0 might disable the file hash computation feature within Windows Defender, which could affect certain malware detection or scanning functionalities that rely on file hash analysis. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12094,7 +12254,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to disable Windows Defender generic ports. This registry can disable the sending of Watson events in Windows Defender. This is by preventing the transmission of generic or non-specific error reports to Microsoft's Windows Error Reporting service, commonly known as Watson. This kind of setting could potentially be employed to limit or control the data sent to Microsoft for error analysis, often in scenarios where privacy or specific reporting requirements are in place. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12104,7 +12264,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to disable Windows Defender exploit guard network protection. The EnableNetworkProtection registry entry controls the activation or deactivation of Network Protection within Windows Defender Exploit Guard. When set to 1, it typically signifies that Network Protection is enabled, offering additional security measures against network-based threats by analyzing and blocking potentially malicious network activity. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12114,7 +12274,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to disable windows defender report infection information. Setting this registry key to 1, Instructs Windows Defender not to report detailed information about infections or threats detected on the system to Microsoft. Enabling this setting might limit or prevent the transmission of specific data related to infections, such as details about the detected malware, to Microsoft's servers for analysis or logging purposes. This registry is being abused by adversaries, threat actors and red-teamers to bypasses Windows Defender detections. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12124,7 +12284,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to disable Windows Defender Scan On Update. The "DisableScanOnUpdate" registry setting in Windows Defender, when set to a value of 1, typically signifies the feature that prevents automatic scans from initiating when updates to Windows Defender or its antivirus definitions are installed. Any modifications to registry settings, it's important to ensure that changes align with security policies and best practices. Incorrect settings might affect the system's security or functionality. Always consider the implications and ensure changes are made based on accurate information and organizational requirements. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12134,7 +12294,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to disable windows defender Signature Retirement. The DisableSignatureRetirement registry setting in Windows Defender controls the retirement or expiration of antivirus signatures used by Windows Defender Antivirus. When DisableSignatureRetirement is set to 1, it usually indicates that Windows Defender won't automatically retire or expire antivirus signatures. Antivirus signatures are files containing information about known malware and are used by Windows Defender to detect and protect against threats. Disabling signature retirement might prevent Windows Defender from automatically removing or retiring older or less relevant antivirus signatures. This can potentially increase the number of signatures in use and might impact system resources or the effectiveness of threat detection. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12144,7 +12304,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to disable windows defender phishing filter. This setting controls whether users can manually disable or modify the browser's built-in phishing filter. When attackers modify "PreventOverride" to 0, it might indicate an attempt to disable the prevention of user overrides for the phishing filter within Microsoft Edge. This change allows users to bypass or disable the built-in phishing protection provided by the browser. By allowing users to override the phishing filter, attackers may attempt to deceive users into visiting phishing websites or malicious pages without triggering warnings or protections from the browser's built-in security measures. This manipulation increases the risk of users unknowingly accessing potentially harmful websites, leading to potential security incidents or compromises. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12154,7 +12314,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to override windows defender smartscreen prompt. The "PreventSmartScreenPromptOverride" registry setting is associated with the Windows SmartScreen feature, specifically related to controlling whether users can override SmartScreen prompts. When attackers modify "PreventSmartScreenPromptOverride" to 0, it signifies an attempt to disable the prevention of user overrides for SmartScreen prompts. By doing so, attackers aim to allow users to bypass or ignore SmartScreen warnings or prompts. This change increases the risk by permitting users to disregard warnings about potentially unsafe or malicious files or websites that would typically trigger SmartScreen alerts. It could lead to users unintentionally executing or accessing malicious content, potentially resulting in security incidents or system compromises. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12164,7 +12324,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to set windows defender smart screen level to warn. Setting the ShellSmartScreenLevel to warn implies a SmartScreen configuration where the system displays a warning prompt when users attempt to run or access potentially risky or unrecognized files or applications. This warning serves as a cautionary alert to users, advising them about the potential risks associated with the file or application they are trying to execute. Changing SmartScreen settings to "warn" might be employed by attackers to reduce the likelihood of triggering immediate suspicion from users when running malicious executables. By setting it to "warn," the system prompts a cautionary warning rather than outright blocking the execution, potentially increasing the chances of users proceeding with running the file despite the warning. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12174,7 +12334,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic refers to a detection mechanism designed to identify when the Hypervisor-protected Code Integrity (HVCI) feature is disabled within the Windows registry. HVCI is a security feature in Windows 10 and Windows Server 2016 that helps protect the kernel and system processes from being tampered with by malicious code. HVCI relies on hardware-assisted virtualization and Microsoft's Hyper-V hypervisor to ensure that only kernel-mode code that has been signed by Microsoft or the system's hardware manufacturer can be executed. This prevents attackers from exploiting vulnerabilities to run unsigned code, like kernel-mode rootkits or other malicious software, at the kernel level. Disabling HVCI may expose the system to security risks and could be an indicator of a potential compromise or unauthorized activity. The analytic aims to detect and report events or configurations that lead to the disabling of HVCI. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = False positives will be limited to administrative scripts disabling HVCI. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12184,7 +12344,7 @@ asset_type = Endpoint confidence = medium explanation = The search looks for the Registry Key DefenderApiLogger or DefenderAuditLogger set to disable. This is consistent with RAT malware across a fleet of endpoints. This particular behavior is typically executed when an adversary gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} known_false_positives = It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12194,7 +12354,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process execute rmdir commandline to delete files and directory tree. This technique has been observed in the actions of various malware strains, such as DarkGate, as they attempt to eliminate specific files or components during their cleanup operations within compromised hosts. Notably, this deletion method doesn't exclusively require elevated privileges and can be executed by regular users or network administrators, although it's not the typical approach used for file deletion. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1070"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.AE"]} known_false_positives = user and network administrator can execute this command. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12204,7 +12364,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects programs that have been started by forfiles.exe. According to Microsoft, the 'The forfiles command lets you run a command on or pass arguments to multiple files'. While this tool can be used to start legitimate programs, usually within the context of a batch script, it has been observed being used to evade protections on command line execution. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1202"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1202"], "nist": ["DE.CM"]} known_false_positives = Some legacy applications may be run using pcalua.exe. Similarly, forfiles.exe may be used in legitimate batch scripts. Filter these results as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12214,7 +12374,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects programs that have been started by pcalua.exe. pcalua.exe is the Microsoft Windows Program Compatability Assistant. While this tool can be used to start legitimate programs, it has been observed being used to evade protections on command line execution. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1202"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1202"], "nist": ["DE.CM"]} known_false_positives = Some legacy applications may be run using pcalua.exe. Filter these results as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12224,7 +12384,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is developed to detect suspicious excessive usage of forfiles.exe process. This event was seen in post exploitation tool WINPEAS that was used by Ransomware Prestige. Forfiles command lets you run a command on or pass arguments to multiple files. This Windows OS built-in tool being abused to list all files in specific directory or drive. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1202"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1202"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12234,7 +12394,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process execution of Windows OS built-in tool FSUTIL to discover file system information. This tool is being abused or used by several adversaries or threat actor to query/list all drives, drive type, volume information or volume statistics by using the FSINFO parameter of this tool. This technique was seen in WINPEAS post exploitation tool that is being used by ransomware prestige to gain privilege and persistence to the targeted host. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1082"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12244,7 +12404,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the Windows Explorer process with a URL within the command-line. Explorer.exe is known Windows process that handles start menu, taskbar, desktop and file manager. Many adversaries abuse this process, like DCRat malware, where it attempts to open the URL with the default browser application on the target host by putting the URL as a parameter on explorer.exe process. This anomaly detection might be a good pivot to check which user and how this process was executed, what is the parent process and what is the URL link. This technique is not commonly used to open an URL. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.AE"]} known_false_positives = False positives may be present based on legitimate applications or third party utilities. Filter out any additional parent process names. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12254,7 +12414,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process that loads the credui.dll module. This legitimate module is typically abused by adversaries, threat actors and red teamers to create a credential UI prompt dialog box to lure users for possible credential theft or can be used to dump the credentials of a targeted host. This hunting query is a good pivot to check why the process loaded this dll and if it is a legitimate file. This hunting query may hit false positive for a third party application that uses a credential login UI for user login. how_to_implement = The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1056.002", "T1056"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1056.002", "T1056"], "nist": ["DE.AE"]} known_false_positives = this module can be loaded by a third party application. Filter is needed. providing_technologies = null @@ -12267,7 +12427,7 @@ When `InstallUtil.exe` is used in a malicous manner, the path to an executable o If used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \ During triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and module loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"]} known_false_positives = Typically this will not trigger as by it's very nature InstallUtil does not need credentials. Filter as needed. providing_technologies = null @@ -12277,7 +12437,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the Windows binary InstallUtil.exe running from a non-standard location. The analytic utilizes a macro for InstallUtil and identifies both the process_name and original_file_name. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1036", "T1036.003", "T1218", "T1218.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003", "T1218", "T1218.004"], "nist": ["DE.CM"]} known_false_positives = False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application in use. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12290,7 +12450,7 @@ When `InstallUtil.exe` is used in a malicous manner, the path to an executable o If used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \ During triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"]} known_false_positives = Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12304,7 +12464,7 @@ When `InstallUtil.exe` is used in a malicous manner, the path to an executable o If used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \ During triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"]} known_false_positives = Limited false positives should be present. Filter as needed by parent process or application. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12318,7 +12478,7 @@ When `InstallUtil.exe` is used in a malicous manner, the path to an executable o If used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \ During triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"]} known_false_positives = Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12331,7 +12491,7 @@ When `InstallUtil.exe` is used in a malicous manner, the path to an executable o If used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \ During triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.004", "T1218"], "nist": ["DE.CM"]} known_false_positives = Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12341,7 +12501,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of a delivered ISO file that has been mounted and the afformention lnk or file opened within it. When the ISO file is opened, the files are saved in the %USER%\AppData\Local\Temp\\ path. The analytic identifies .iso.lnk written to the path. The name of the ISO file is prepended. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566.001", "T1566", "T1204.001", "T1204"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1566.001", "T1566", "T1204.001", "T1204"], "nist": ["DE.AE"]} known_false_positives = False positives may be high depending on the environment and consistent use of ISOs mounting. Restrict to servers, or filter out based on commonly used ISO names. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12351,7 +12511,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the process name of java.exe and w3wp.exe spawning a Windows shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are "cmd.exe", "powershell.exe". Upon triage, review parallel processes and command-line arguments to determine legitimacy. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on that. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12361,7 +12521,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a local successful authentication event on a Windows endpoint using the Kerberos package. The target user security identified will be set to the built-in local Administrator account, along with the remote address as localhost - 127.0.0.1. This may be indicative of a kerberos relay attack. Upon triage, review for recently ran binaries on disk. In addition, look for new computer accounts added to Active Directory and other anomolous AD events. how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4624 EventCode enabled. The Windows TA is also required. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} known_false_positives = False positives are possible, filtering may be required to restrict to workstations vs domain controllers. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -12371,7 +12531,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a potential suspicious process loading dll modules related to Graphicalproton backdoor implant of SVR. These DLL modules have been observed in SVR attacks, commonly used to install backdoors on targeted hosts. This anomaly detection highlights the need for thorough investigation and immediate mitigation measures to safeguard the network against potential breaches. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -12381,7 +12541,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the default service name created by KrbRelayUp. Defenders should be aware that attackers could change the hardcoded service name of the KrbRelayUp tool and bypass this detection. how_to_implement = To successfully implement this search, you need to be ingesting Windows System Event Logs with 7045 EventCode enabled. The Windows TA is also required. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1543.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.003"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited as this is specific to KrbRelayUp based attack. Filter as needed. providing_technologies = null @@ -12392,7 +12552,7 @@ confidence = medium explanation = The following analytic leverages Event ID 4769, `A Kerberos service ticket was requested`, to identify more than 30 computer service ticket requests from one source. When a domain joined endpoint connects to other remote endpoint, it will first request a Kerberos Service Ticket with the computer name as the Service Name. A user requesting a large number of computer service tickets for different endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc.\ Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold as needed. how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1135", "T1078"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1135", "T1078"], "nist": ["DE.AE"]} known_false_positives = An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems. providing_technologies = ["Microsoft Windows"] @@ -12402,7 +12562,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies the use of RemCom.exe - The open source psexec. This utility provides the ability to move laterally and run scripts or commands remotely. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1570"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1570"], "nist": ["DE.CM"]} known_false_positives = False positives may be present based on Administrative use. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12412,7 +12572,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of Ldifde.exe, which provides the ability to create, modify, or delete LDAP directory objects. Natively, the binary is only installed on a domain controller. However, adversaries or administrators may install the Windows Remote Server Admin Tools for ldifde.exe. Ldifde.exe is a Microsoft Windows command-line utility used to import or export LDAP directory entries. LDAP stands for Lightweight Directory Access Protocol, which is a protocol used for accessing and managing directory information services over an IP network. LDIF, on the other hand, stands for LDAP Data Interchange Format, a standard plain-text data interchange format for representing LDAP directory entries. -i This is a flag used with Ldifde.exe to denote import mode. In import mode, Ldifde.exe takes an LDIF file and imports its contents into the LDAP directory. The data in the LDIF file might include new objects to be created, or modifications or deletions to existing objects. -f This flag is used to specify the filename of the LDIF file that Ldifde.exe will import from (in the case of the -i flag) or export to (without the -i flag). For example, if you wanted to import data from a file called data.ldif, you would use the command ldifde -i -f data.ldif. Keep in mind that while the use of Ldifde.exe is legitimate in many contexts, it can also be used maliciously. For instance, an attacker who has gained access to a domain controller could potentially use Ldifde.exe to export sensitive data or make unauthorized changes to the directory. Therefore, it's important to monitor for unusual or unauthorized use of this tool. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1105", "T1069.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Exploitation"], "mitre_attack": ["T1105", "T1069.002"], "nist": ["DE.CM"]} known_false_positives = False positives may be present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12422,7 +12582,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain organizational unit for situational awareness and Active Directory Discovery. how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -12432,7 +12592,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic leverages events 4625 and 4624 to identify an endpoint using the builtin local Administrator account to authenticate to a large numbers of endpoints. Specifically, the logic will trigger when an endpoints attempts to authenticate to more than 30 target computers within a 5 minute timespan. This behavior could represent an adversary who has obtained access to local credentials and is trying to validate if these credentials work on other hosts to escalate their privileges. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110", "T1110.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.004"], "nist": ["DE.CM"]} known_false_positives = Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -12442,7 +12602,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry related to the Local Security Authority (LSA) in Windows. This registry value is used to determine whether the system should store passwords in the weaker Lan Manager (LM) hash format. Setting it to 0 disables this feature, meaning LM hashes will be stored. Modifying these settings should be done carefully and with a clear understanding of the impact it might have on system security and functionality. This command is often used in security configurations to enforce stronger password storage methods and prevent the storage of weaker LM hashes, which are more susceptible to certain types of attacks. This TTP detection can be a good indicator of any process or user that tries to modify the LSA security configuration. how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.004"], "nist": ["DE.CM"]} known_false_positives = Administrator may change this registry setting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12452,7 +12612,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a possible windows application having a SMTP connection in a non common installation path in windows operating system.This network protocol is being used by adversaries, threat actors and malware like AgentTesla as a Command And Control communication to transfer its collected stolen information like the desktop screenshots, browser information and system information of a targeted or compromised host. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 3 connection events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1071.003", "T1071"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.003", "T1071"], "nist": ["DE.AE"]} known_false_positives = third party application may use this network protocol as part of its feature. Filter is needed. providing_technologies = null @@ -12462,7 +12622,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious process that delete mark-of-the-web data stream. This technique has been observed in various instances of malware and adversarial activities aimed at circumventing security restrictions within the Windows Operating System, particularly pertaining to files downloaded from the internet. An example of this scenario is demonstrated by Ave Maria RAT, which attempts to delete this data stream as a means to evade such restrictions. how_to_implement = To successfully implement this search, you need to be ingesting logs with the deleted target file name, process name and process id from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1553.005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.005"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -12472,7 +12632,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious parent process of explorer.exe. Explorer is usually executed by userinit.exe that will exit after execution that causes the main explorer.exe no parent process. Some malware like qakbot spawn another explorer.exe to inject its code. This TTP detection is a good indicator that a process spawning explorer.exe might inject code or masquerading its parent child process to evade detections. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12482,7 +12642,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious msdtc.exe with specific command-line parameters, particularly -a or -b, which are regarded as potential indicators of the presence of the insidious PlugX malware. This malware is notorious for its covert operations and is frequently utilized by threat actors for unauthorized access, data exfiltration, and espionage. The analytic's focus on the -a or -b command-line parameters within msdtc.exe is rooted in the PlugX malware's sophisticated tactic of masquerading its activities. To elude detection, PlugX employs a technique where it injects a concealed, headless PlugX Dynamic Link Library (DLL) module into the legitimate msdtc.exe process. By leveraging these specific command-line parameters, the malware attempts to disguise its presence within a system's legitimate processes, thereby evading immediate suspicion. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1036"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12492,7 +12652,7 @@ asset_type = Endpoint confidence = medium explanation = As simple as it sounds, this analytic identifies when the native mimikatz.exe binary executes on Windows. It does look for the original file name as well, just in case the binary is renamed. Adversaries sometimes bring in the default binary and run it directly. Benjamin Delpy originally created Mimikatz as a proof of concept to show Microsoft that its authentication protocols were vulnerable to an attack. Instead, he inadvertently created one of the most widely used and downloaded threat actor tools of the past 20 years. Mimikatz is an open-source application that allows users to view and save authentication credentials such as Kerberos tickets. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited as this is directly looking for Mimikatz, the credential dumping utility. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12502,7 +12662,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies hardcoded extensions related to the Crypo module within Mimikatz. Moving certificates or downloading them is not malicious, however with Mimikatz having hardcoded names it helps to identify potential usage of certificates being exported. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} known_false_positives = False positives may be present and may need to be reviewed before this can be turned into a TTP. In addition, remove .pfx (standalone) if it's too much volume. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12512,7 +12672,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry related to authentication level settings. This registry is the configuration for authentication level settings within the Terminal Server Client settings in Windows. AuthenticationLevelOverride might be used to control or override the authentication level used by the Terminal Server Client for remote connections. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12522,7 +12682,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will "Treat minor updates like other updates". how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = administrators may enable or disable this feature that may cause some false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12532,7 +12692,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious registry modification of Windows auto update notification. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will switch the automatic windows update to "Notify before download". how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = administrators may enable or disable this feature that may cause some false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12542,7 +12702,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is developed to detect suspicious registry modification to change the default icon association of windows to ransomware . This technique was seen in Lockbit ransomware where it modified the default icon association of the compromised Windows OS host with its dropped ransomware icon file as part of its defacement payload. This registry is not commonly modified by a normal user so having this anomaly detection may help to catch possible lockbit ransomware infection or other malware. how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12552,7 +12712,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry related to DisableRestrictedAdmin. This registry entry is used to control the behavior of Restricted Admin mode, which is a security feature that limits the exposure of sensitive credentials when connecting remotely to another computer. When this registry value is set to 0 it indicates that Restricted Admin mode is enabled (default behavior). As with any modifications to registry settings, changing this entry should be approached cautiously, ensuring a clear understanding of the implications for system security and functionality. Unauthorized changes to these security settings can pose risks and should be monitored closely for any signs of tampering or unauthorized alterations. how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} known_false_positives = Administrator may change this registry setting. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12562,7 +12722,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic is to identify a modification in the Windows registry to disable toast notifications. This Windows Operating System feature is responsible for alerting or notifying user if application or OS need some updates. Adversaries and malwares like Azorult abuse this technique to disable important update notification in compromised host. This anomaly detection is a good pivot to look for further events related to defense evasion and execution. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = administrators may enable or disable this feature that may cause some false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12572,7 +12732,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to disable Windows Defender raw write notification feature. This policy controls whether raw volume write notifications are sent to behavior monitoring or not. This registry was recently identified in Azorult malware to bypass Windows Defender detections or behavior monitoring in terms of volume write. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = Administrators may enable or disable this feature that may cause some false positive. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12582,7 +12742,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious registry modification to disable Windows Defender notification. This technique was being abused by several adversaries, malware authors and also red-teamers to evade detection on the targeted machine. RedLine Stealer is one of the malware we've seen that uses this technique to bypass Windows defender detection. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} known_false_positives = administrators may enable or disable this feature that may cause some false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12592,7 +12752,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic is to identify a modification in the Windows registry to disable windows center notifications. This Windows Operating System feature is responsible for alerting or notifying user if application or OS need some updates. Adversaries and malwares like Azorult abuse this technique to disable important update notification in compromised host. This anomaly detection is a good pivot to look for further events related to defense evasion and execution. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = administrators may enable or disable this feature that may cause some false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12602,7 +12762,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to DisableRemoteDesktopAntiAlias. This registry setting might be intended to manage or control anti-aliasing behavior (smoothing of edges and fonts) within Remote Desktop sessions. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12612,7 +12772,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to disable security settings of Terminal Services. altering or disabling security settings within Terminal Services. Terminal Services, now known as Remote Desktop Services (RDS) in more recent Windows versions, allows users to access applications, data, and even an entire desktop remotely. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12622,7 +12782,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to disable Windows error reporting settings. This Windows feature allows the user to report bugs, errors, failure or problems encountered in specific application or processes. Adversaries use this technique to hide any error or failure that some of its malicious components trigger. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12632,7 +12792,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies modification in the Windows registry to prevent user running specific computer programs that could aid them in manually removing malware or detecting it using security products. This technique was recently identified in Azorult malware where it uses this registry value to prevent several AV products to execute on the compromised host machine. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} known_false_positives = Administrators may enable or disable this feature that may cause some false positive. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12642,7 +12802,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will disable Windos update functionality, and may cause connection to public services such as the Windows Store to stop working. This policy applies only when this PC is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = administrators may enable or disable this feature that may cause some false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12652,7 +12812,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows Error Reporting registry to DontShowUI. DarkGate malware modify this registry as part of its malicious installation in a targeted host for its remote desktop capabilities. When this registry value is present and set to a specific configuration, it can influence the behavior of error reporting dialogs or prompts, suppressing them from being displayed to the user.For instance, setting DontShowUI to a value of 1 often indicates that the Windows Error Reporting UI prompts will be suppressed, meaning users won't see error reporting pop-ups when errors occur. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12662,7 +12822,7 @@ asset_type = endpoint confidence = medium explanation = The following analytic identifies a suspicious registry modification of Windows linked connection configuration. This technique was being abused by several adversaries, malware like BlackByte ransomware to enable the linked connections feature, that allows network shares to be accessed using both standard and administrator-level privileges simultaneously. By default, Windows does not enable this feature to enhance security. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} known_false_positives = Administrators may enable or disable this feature that may cause some false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12672,7 +12832,7 @@ asset_type = endpoint confidence = medium explanation = The following analytic identifies a suspicious registry modification of Windows long path enable configuration. This technique was being abused by several adversaries, malware like BlackByte to enable long file path support in the operating system. By default, Windows has a limitation on the maximum length of a file path, which is set to 260 characters. Enabling the LongPathsEnabled setting allows you to work with file paths longer than 260 characters. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = Administrators may enable or disable this feature that may cause some false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12682,7 +12842,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious registry modification of Windows max connection per server configuration. This particular technique has been observed in various threat actors, adversaries, and even in malware such as the Warzone (Ave Maria) RAT. By altering the max connection per server setting in the Windows registry, attackers can potentially increase the number of concurrent connections allowed to a remote server. This modification could be exploited for various malicious purposes, including facilitating distributed denial-of-service (DDoS) attacks or enabling more effective lateral movement within a compromised network. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = Administrators may enable or disable this feature that may cause some false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12692,7 +12852,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will allow "Logged-on user gets to choose whether or not to restart his or her compute". how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = Administrators may enable or disable this feature that may cause some false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12702,7 +12862,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will "Disable Automatic Updates". how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = Administrators may enable or disable this feature that may cause some false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12712,7 +12872,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies alterations in the Windows registry aimed at restricting wallpaper modifications. This tactic has been exploited by the Rhysida ransomware as a part of its destructive payload within compromised systems. By making this registry modification, the ransomware seeks to impede users from changing the wallpaper forcibly set by the malware, restricting the user's control over their system's visual settings. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12722,7 +12882,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to enable proxy. This method has been exploited by various malware and adversaries to establish proxy communication on compromised hosts, facilitating connections to malicious Command and Control (C2) servers. Identifying this anomaly serves as a crucial indicator to unveil suspicious processes attempting to activate the proxy feature within the Windows operating system. Detecting such attempts becomes pivotal in flagging potential threats, especially those aiming to leverage proxy configurations for unauthorized communication with malicious entities. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12732,7 +12892,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification in the Windows registry to setup proxy server. This method has been exploited by various malware and adversaries to establish proxy communication on compromised hosts, facilitating connections to malicious Command and Control (C2) servers. Identifying this anomaly serves as a crucial indicator to unveil suspicious processes attempting to activate the proxy feature within the Windows operating system. Detecting such attempts becomes pivotal in flagging potential threats, especially those aiming to leverage proxy configurations for unauthorized communication with malicious entities. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12742,7 +12902,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious registry entry created by Qakbot malware as part of its malicious execution. This "Binary Data" Registry was created by newly spawn explorer.exe where its malicious code is injected to it. The registry consist of 8 random registry value name with encrypted binary data on its registry value data. This anomaly detections can be a good pivot for possible Qakbot malware infection or other malware that uses registry to save or store there config or malicious code on the registry data stream. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12752,7 +12912,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process execution of reg.exe with "restore" parameter. This reg.exe parameter is commonly used to restore registry backup data in a targeted host. This approach or technique was also seen in post-exploitation tool like winpeas where it uses "reg save" and "reg restore" to check the registry modification restriction in targeted host after gaining access to it. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} known_false_positives = network administrator can use this command tool to backup registry before updates or modifying critical registries. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12762,7 +12922,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies modification of Windows registry using regedit.exe application with silent mode parameter. regedit.exe windows application is commonly used as GUI app to check or modify registry. This application is also has undocumented command-line parameter and one of those are silent mode parameter that performs action without stopping for confirmation with dialog box. Importing registry from .reg files need to monitor in a production environment since it can be used adversaries to import RMS registry in compromised host. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = Administrators may execute this command that may cause some false positive. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12772,7 +12932,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is designed to identify instances where three or more distinct analytics associated with Mitre ID T1112 - Modification of registry information are triggered. Such occurrences could indicate the presence of multiple malicious registry modifications on a host. Malicious actors frequently manipulate the Windows Registry to hide important configuration details within specific Registry keys. This technique allows them to obscure their activities, erase any evidence during cleanup operations, and establish continuous access and execution of malicious code. how_to_implement = Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers. providing_technologies = null @@ -12782,7 +12942,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic is to identify a modification in the Windows registry to suppress windows defender notification. This technique was abuse by adversaries and threat actor to bypassed windows defender on the targeted host. Azorult malware is one of the malware use this technique that also disable toast notification and other windows features as part of its malicious behavior. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = administrators may enable or disable this feature that may cause some false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12792,7 +12952,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious registry modification to tamper Windows Defender protection. This technique was being abused by several adversaries, malware authors and also red-teamers to evade detection on the targeted machine. RedLine Stealer is one of the malware we've seen that uses this technique to bypass Windows defender detection. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} known_false_positives = Administrators may enable or disable this feature that may cause some false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12802,7 +12962,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that specifies an intranet server to host updates from Microsoft Update. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = Administrators may enable or disable this feature that may cause some false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12812,7 +12972,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will use "The WUServer value unless this key is set". how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = administrators may enable or disable this feature that may cause some false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12822,7 +12982,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is designed to identify potentially malicious registry modification characterized by MD5-like registry key names. This technique has been notably observed in NjRAT malware, which employs such registries for fileless storage of keylogs and .DLL plugins. Detecting this tactic serves as an effective means of identifying possible NjRAT malware instances that create or modify registries as part of their malicious activities. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12832,7 +12992,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification related to the WSUS server used by Automatic Updates and (by default) API callers. This policy is paired with WUStatusServer; both must be set to the same value in order for them to be valid. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = Administrators may enable or disable this feature that may cause some false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12842,7 +13002,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification related to the server to which reporting information will be sent for client computers that use the WSUS server configured by the WUServer key. This policy is paired with WUServer; both must be set to the same value in order for them to be valid. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} known_false_positives = administrators may enable or disable this feature that may cause some false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12852,7 +13012,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to look for suspicious registry modification related to file compression color and information tips. This IOC was seen in hermetic wiper where it has a thread that will create this registry entry to change the color of compressed or encrypted files in NTFS file system as well as the pop up information tips. This is a good indicator that a process tries to modified one of the registry GlobalFolderOptions related to file compression attribution in terms of color in NTFS file system. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12862,7 +13022,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects a potential suspicious modification of firewall rule allowing to execute specific application in public and suspicious windows process file path. This technique was identified when an adversary and red teams to bypassed firewall file execution restriction in a targetted host. Take note that this event or command can run by administrator during testing or allowing legitimate tool or application. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.CM"]} known_false_positives = A network operator or systems administrator may utilize an automated or manual execution of this firewall rule that may generate false positives. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12872,7 +13032,7 @@ asset_type = Endpoint confidence = medium explanation = The following anaytic identifies MOFComp.exe loading a MOF file. The Managed Object Format (MOF) compiler parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Typically, MOFComp.exe does not reach out to the public internet or load a MOF file from User Profile paths. A filter and consumer is typically registered in WMI. Review parallel processes and query WMI subscriptions to gather artifacts. The default path of mofcomp.exe is C:\Windows\System32\wbem. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.003"], "nist": ["DE.CM"]} known_false_positives = False positives may be present from automation based applications (SCCM), filtering may be required. In addition, break the query out based on volume of usage. Filter process names or f providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12882,7 +13042,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects the creation of new ASPX files in the MOVEit Transfer application's "wwwroot" directory. This activity is indicative of the recent critical vulnerability found in MOVEit Transfer, where threat actors have been observed exploiting a zero-day vulnerability to install a malicious ASPX file (e.g., "human2.aspx") in the wwwroot directory. The injected file could then be used to exfiltrate sensitive data, including user credentials and file metadata. The vulnerability affects the MOVEit Transfer managed file transfer software developed by Progress, a subsidiary of US-based Progress Software Corporation. This analytic requires endpoint data reflecting process and filesystem activity. The identified process must be responsible for the creation of new ASPX or ASHX files in the specified directory. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12892,7 +13052,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic uses the Exchange Management logs, that are enabled by default, to identify suspicious Cmdlet usage related to ProxyShell and ProxyNotShell abuse. how_to_implement = The following analytic requires collecting the Exchange Management logs via a input. An example inputs is here https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178. We used multiline as the XML format of the logs will require props/transforms. Multiline gives us everything we need in Message for now. Update the macro with your correct sourcetype. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.AE"]} known_false_positives = False positives may be present when an Administrator utilizes the cmdlets in the query. Filter or monitor as needed. providing_technologies = null @@ -12902,7 +13062,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the usage of mshta.exe Windows binary in registry to execute malicious script. This technique was seen in kovter malware where it create several registry entry which is a encoded javascript and will be executed by another registry containing mshta and javascript activexobject to execute the encoded script using wscript.shell. This TTP is a good indication of kovter malware or other adversaries or threat actors leveraging fileless detection that survive system reboot. how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.005"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12912,7 +13072,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the usage of msiexec.exe using the /y switch parameter, which grants the ability for msiexec to load DLLRegisterServer. Upon triage, review parent process and capture any artifacts for further review. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} known_false_positives = This analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12922,7 +13082,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a msiexec.exe process with hidewindow rundll32 process commandline. One such tactic involves utilizing system processes like "msiexec," "hidewindow," and "rundll32" through command-line execution. By leveraging these legitimate processes, QakBot masks its malicious operations, hiding behind seemingly normal system activities. This clandestine approach allows the trojan to carry out unauthorized tasks discreetly, such as downloading additional payloads, executing malicious code, or establishing communication with remote servers. This obfuscation through trusted system processes enables QakBot to operate stealthily, evading detection by security mechanisms and perpetuating its harmful actions without raising suspicion. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.007", "T1218"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007", "T1218"], "nist": ["DE.CM"]} known_false_positives = Other possible 3rd party msi software installers use this technique as part of its installation process. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12932,7 +13092,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies msiexec.exe with http in the command-line. This procedure will utilize msiexec.exe to download a remote file and load it. During triage, review parallel processes and capture any artifacts on disk for review. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} known_false_positives = False positives may be present, filter by destination or parent process as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12942,7 +13102,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies MSIExec spawning multiple discovery commands, including spawning Cmd.exe or PowerShell.exe. Typically, child processes are not common from MSIExec other than MSIExec spawning itself. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} known_false_positives = False positives will be present with MSIExec spawning Cmd or PowerShell. Filtering will be needed. In addition, add other known discovery processes to enhance query. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12952,7 +13112,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies the unusual behavior of MSIExec spawning WinDBG. It is designed to detect potential malicious activities. The search specifically looks for instances where the parent process name is 'msiexec.exe' and the process name is 'windbg.exe'. During the triage process, it is recommended to review the file path for additional artifacts that may provide further insights into the event. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} known_false_positives = False positives will only be present if the MSIExec process legitimately spawns WinDBG. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12962,7 +13122,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the usage of msiexec.exe using the /z switch parameter, which grants the ability for msiexec to unload DLLRegisterServer. Upon triage, review parent process and capture any artifacts for further review. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} known_false_positives = This analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12972,7 +13132,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies MSIExec with any network connection over port 443 or 80. Typically, MSIExec does not perform network communication to the internet. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007"], "nist": ["DE.CM"]} known_false_positives = False positives will be present and filtering is required. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -12982,7 +13142,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a dns query to a known TOR proxy website. This technique was seen in several adversaries, threat actors and malware like AgentTesla to To disguise the source of its malicious traffic. adversaries may chain together multiple proxies. This Anomaly detection might be a good pivot for a process trying to download or use TOR proxies in a compromised host machine. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 22 dns query events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1071.003", "T1071"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.003", "T1071"], "nist": ["DE.AE"]} known_false_positives = third party application may use this proxies if allowed in production environment. Filter is needed. providing_technologies = null @@ -12994,7 +13154,7 @@ explanation = The following analytic identifies one source endpoint failing to a This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations.\ The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} known_false_positives = A host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems. providing_technologies = ["Microsoft Windows"] @@ -13006,7 +13166,7 @@ explanation = The following analytic identifies one source endpoint failing to a This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations.\ The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} known_false_positives = A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems. providing_technologies = ["Microsoft Windows"] @@ -13018,7 +13178,7 @@ explanation = The following analytic identifies one source endpoint failing to a This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations.\ The analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts. how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} known_false_positives = A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts. providing_technologies = ["Microsoft Windows"] @@ -13030,7 +13190,7 @@ explanation = The following analytic identifies a source user failing to authent This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed.\ The analytics returned fields allow analysts to investigate the event further by providing fields like source account, attempted user accounts and the endpoint were the behavior was identified. how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} known_false_positives = A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc. providing_technologies = ["Microsoft Windows"] @@ -13042,7 +13202,7 @@ explanation = The following analytic identifies one source endpoint failing to a This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations.\ The analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts. how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} known_false_positives = A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts. providing_technologies = ["Microsoft Windows"] @@ -13054,7 +13214,7 @@ explanation = The following analytic identifies a source process name failing to This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. This could be a domain controller as well as a member server or workstation.\ The analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts. how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers aas well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} known_false_positives = A process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. providing_technologies = ["Microsoft Windows"] @@ -13066,7 +13226,7 @@ explanation = The following analytic identifies one source endpoint failing to a This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations.\ The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} known_false_positives = A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, missconfigured systems and multi-user systems like Citrix farms. providing_technologies = ["Microsoft Windows"] @@ -13078,7 +13238,7 @@ explanation = The following analytic identifies a source host failing to authent This logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the host that is the target of the password spraying attack. This could be a domain controller as well as a member server or workstation.\ The analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts. how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.CM"]} known_false_positives = A host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc. providing_technologies = ["Microsoft Windows"] @@ -13088,7 +13248,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of ngrok.exe being utilized on the Windows operating system. Unfortunately, there is no original file name for Ngrok, so it may be worth an additional hunt to identify any command-line arguments. The sign of someone using Ngrok is not malicious, however, more recently it has become an adversary tool. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"]} known_false_positives = False positives will be present based on organizations that allow the use of Ngrok. Filter or monitor as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13098,7 +13258,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of AdvancedRun.exe. AdvancedRun.exe has similar capabilities as other remote programs like psexec. AdvancedRun may also ingest a configuration file with all settings defined and perform its activity. The analytic is written in a way to identify a renamed binary and also the common command-line arguments. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1588.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.002"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited as it is specific to AdvancedRun. Filter as needed based on legitimate usage. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13108,7 +13268,7 @@ asset_type = Endpoint confidence = medium explanation = The following hunting analytic assists with identifying the proces execution of commonly used utilities from NirSoft. Potentially not adversary behavior, but worth identifying to know if the software is present and being used. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1588.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.002"], "nist": ["DE.AE"]} known_false_positives = False positives may be present. Filtering may be required before setting to alert. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13118,7 +13278,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies non SYSTEM accounts requesting access to lsass.exe. This behavior may be related to credential dumping or applications requiring access to credentials. Triaging this event will require understanding the GrantedAccess from the SourceImage. In addition, whether the account is privileged or not. Review the process requesting permissions and review parallel processes. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} known_false_positives = False positives will occur based on legitimate application requests, filter based on source image as needed. providing_technologies = null @@ -13128,7 +13288,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies Odbcconf.exe running in the environment to assist with identifying tuning higher fidelity analytics related to Odbcconf.exe. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.008"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.008"], "nist": ["DE.AE"]} known_false_positives = False positives will be present as this is meant to assist with filtering and tuning. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13138,7 +13298,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies odbcconf.exe, Windows Open Database Connectivity utility, utilizing the action function of regsvr to load a DLL. An example will look like - odbcconf.exe /A { REGSVR T1218-2.dll }. During triage, review parent process, parallel procesess and file modifications. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.008"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.008"], "nist": ["DE.CM"]} known_false_positives = False positives may be present and filtering may need to occur based on legitimate application usage. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13148,7 +13308,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the odbcconf.exe, Windows Open Database Connectivity utility, loading up a resource file. The file extension is arbitrary and may be named anything. The resource file itself may have different commands supported by Odbcconf to load up a DLL (REGSVR) on disk or additional commands. During triage, review file modifications and parallel processes. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.008"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.008"], "nist": ["DE.CM"]} known_false_positives = False positives may be present and filtering may need to occur based on legitimate application usage. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13158,7 +13318,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a Microsoft Office product spawning the Windows msdt.exe process. MSDT is a Diagnostics Troubleshooting Wizard native to Windows. This behavior is related to a recently identified sample utilizing protocol handlers to evade preventative controls, including if macros are disabled in the document. During triage, review file modifications for html. In addition, parallel processes including PowerShell and CertUtil. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited, however filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13168,7 +13328,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic is designed to detect instances where the PaperCut NG application (pc-app.exe) spawns a Windows shell, specifically cmd.exe or PowerShell. This behavior may indicate potential malicious activity, such as an attacker attempting to gain unauthorized access or execute harmful commands on the affected system. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1190", "T1133"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1059", "T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = False positives may be present, but most likely not. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13178,7 +13338,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious explorer.exe process that has "/root" process commandline. The presence of this parameter is considered a significant indicator as it could indicate attempts at spoofing the parent process by a specific program or malware. By spoofing the parent process, the malicious entity aims to circumvent detection mechanisms and operate undetected within the system. This technique of manipulating the command-line parameter (/root) of explorer.exe is a form of masquerading utilized by certain malware or suspicious processes. The objective is to obscure the true nature of the activity by imitating a legitimate system process. By doing so, it attempts to evade scrutiny and evade detection by security measures. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1134.004", "T1134"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.004", "T1134"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13188,7 +13348,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process command line that retrieves information related to password manager software. This technique was seen in several post exploitation tools like winpeas that are being used by Ransomware Prestige to gather this type of information. Password Managers applications are designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk. Due to this password manager software designed adversaries may find or look for keywords related to the Password Manager databases that can be stolen or extracted for further attacks. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1555.005"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555.005"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13198,7 +13358,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is developed to detect suspicious pdf viewer processes that have a browser application child processes. This event was seen in a pdf spear phishing attachment containing a malicious URL link to download the actual payload. When a user clicks the malicious link the pdf viewer application will execute a process of the host default browser to connect to the malicious site. This anomaly detection can be a good indicator that a possible pdf file has a link executed by a user. The pdf viewer and browser list in this detection is still in progress, add the common browser and pdf viewer you use in opening pdf in your network. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} known_false_positives = False positives in PDF file opened PDF Viewer having legitimate URL link, however filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13208,7 +13368,7 @@ asset_type = Endpoint confidence = medium explanation = The following hunting analytic identifies registry artifacts when an ISO container is opened, clicked or mounted on the Windows operating system. As Microsoft makes changes to macro based document execution, adversaries have begun to utilize container based initial access based phishing campaigns to evade preventative controls. Once the ISO is clicked or mounted it will create a registry artifact related to this event as a recent application executed or opened. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} known_false_positives = False positives may be high depending on the environment and consistent use of ISOs. Restrict to servers, or filter out based on commonly used ISO names. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13222,7 +13382,7 @@ CallTrace Stack trace of where open process is called. Included is the DLL and t dbgcore.dll or dbghelp.dll are two core Windows debug DLLs that have minidump functions which provide a way for applications to produce crashdump files that contain a useful subset of the entire process context. \ The idea behind using ntdll.dll is to blend in by using native api of ntdll.dll. For example in sekurlsa module there are many ntdll exported api, like RtlCopyMemory, used to execute this module which is related to lsass dumping. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} known_false_positives = False positives will occur based on GrantedAccess 0x1010 and 0x1400, filter based on source image as needed or remove them. Concern is Cobalt Strike usage of Mimikatz will generate 0x1010 initially, but later be caught. providing_technologies = null @@ -13232,7 +13392,7 @@ asset_type = Endpoint confidence = medium explanation = The following correlation identifies a four or more number of distinct analytics associated with the Windows Post-Exploitation analytic story, which enables the identification of potentially suspicious behavior. Windows Post-Exploitation refers to the phase that occurs after an attacker successfully compromises a Windows system. During this stage, attackers strive to maintain persistence, gather sensitive information, escalate privileges, and exploit the compromised environment further. Timely detection of post-exploitation activities is crucial for prompt response and effective mitigation. Common post-exploitation detections encompass identifying suspicious processes or services running on the system, detecting unusual network connections or traffic patterns, identifying modifications to system files or registry entries, monitoring abnormal user account activities, and flagging unauthorized privilege escalations. Ensuring the detection of post-exploitation activities is essential to proactively prevent further compromise, minimize damage, and restore the security of the Windows environment. how_to_implement = Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1012", "T1049", "T1069", "T1016", "T1003", "T1082", "T1115", "T1552"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012", "T1049", "T1069", "T1016", "T1003", "T1082", "T1115", "T1552"], "nist": ["DE.AE"]} known_false_positives = False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers. providing_technologies = null @@ -13242,7 +13402,7 @@ asset_type = Endpoint confidence = medium explanation = The following PowerShell Script Block analytic identifies the native ability to add a DLL to the Windows Global Assembly Cache. Each computer where the Common Language Runtime is installed has a machine-wide code cache called the Global Assembly Cache. The Global Assembly Cache stores assemblies specifically designated to be shared by several applications on the computer. By adding a DLL to the GAC, this allows an adversary to call it via any other means across the operating systems. This is native and built into Windows. Per the Microsoft blog, the more high fidelity method may be to look for W3WP.exe spawning PowerShell that includes the same CommandLine as identified in this analytic. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.CM"]} known_false_positives = False positives may be present based on developers or third party utilities adding items to the GAC. providing_technologies = ["Microsoft Windows"] @@ -13252,7 +13412,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing cryptography namespace library. This technique was seen in several powershell malware, loader, downloader and stager that will decrypt or decode the next malicious stager or the actual payload. This Anomaly detection can be a good indicator that a powershell process to decrypt code. We recommend to further check the parent_process_name, the file or data it tries to decrypt, network connection and user who execute the script. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} known_false_positives = False positives should be limited. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -13262,7 +13422,7 @@ asset_type = Endpoint confidence = medium explanation = The following analtyic identifies the use of get-WebConfigurationProperty and Set-ItemProperty attempting to disable HTTP logging on windows via PowerShell. Adversaries may perform this action to disable HTTP logging to cover tracks and delete logs on disk. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562", "T1562.002", "T1505", "T1505.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1562", "T1562.002", "T1505", "T1505.004"], "nist": ["DE.CM"]} known_false_positives = It is possible administrators or scripts may run these commands, filtering may be required. providing_technologies = ["Microsoft Windows"] @@ -13272,7 +13432,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the PowerShell Cmdlet export-certificate utilizing Script Block Logging. This particular behavior is related to an adversary attempting to steal certificates local to the Windows endpoint within the Certificate Store. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1552.004", "T1552", "T1649"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.004", "T1552", "T1649"], "nist": ["DE.AE"]} known_false_positives = It is possible administrators or scripts may run these commands, filtering may be required. providing_technologies = ["Microsoft Windows"] @@ -13282,7 +13442,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the PowerShell Cmdlet export-pfxcertificate utilizing Script Block Logging. This particular behavior is related to an adversary attempting to steal certificates local to the Windows endpoint within the Certificate Store. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1552.004", "T1552", "T1649"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.004", "T1552", "T1649"], "nist": ["DE.AE"]} known_false_positives = It is possible administrators or scripts may run these commands, filtering may be required. providing_technologies = ["Microsoft Windows"] @@ -13292,7 +13452,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies the use of Get-CimInstance cmdlet with the -ComputerName parameter, which indicates that the cmdlet is being used to retrieve information from a remote computer. This can be useful for detecting instances of remote access, such as when an attacker uses PowerShell to connect to a remote system and gather information. By monitoring for this cmdlet with the -ComputerName parameter, security analysts can identify potential malicious activity on remote systems and take appropriate action to mitigate any threats. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001"], "nist": ["DE.AE"]} known_false_positives = This is meant to be a low risk RBA anomaly analytic or to be used for hunting. Enable this with a low risk score and let it generate risk in the risk index. providing_technologies = ["Microsoft Windows"] @@ -13302,7 +13462,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the usage of PowerShell Cmdlets - New-WebGlobalModule, Enable-WebGlobalModule and Set-WebGlobalModule being utilized to create (new), enable (start) or modify a current IIS Module. These commands are equivalent to AppCmd.exe parameters. Adversaries may utilize these cmdlets as they are lesser known and perform the same activity as AppCmd. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.AE"]} known_false_positives = It is possible administrators or scripts may run these commands, filtering may be required. providing_technologies = ["Microsoft Windows"] @@ -13312,7 +13472,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic is to identify the imports of Windows PowerShell Applocker commandlets. This technique was seen in Azorult malware where it drops an xml Applocker policy that will deny several AV product and then loaded using PowerShell Applocker commandlet. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.001", "T1059", "T1562.001", "T1562"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1059.001", "T1059", "T1562.001", "T1562"], "nist": ["DE.CM"]} known_false_positives = administrators may execute this command that may cause some false positive. providing_technologies = ["Microsoft Windows"] @@ -13322,7 +13482,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies the use of "remotesigned" execution policy for a file. This security setting determines whether PowerShell scripts can be executed on a computer. When the execution policy is set to "remotesigned," it allows locally created scripts to run without any restrictions, but scripts downloaded from the internet must have a digital signature from a trusted publisher. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} known_false_positives = It is possible administrators or scripts may run these commands, filtering may be required. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13332,7 +13492,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects potential malicious activities related to PowerShell's task scheduling cmdlets. It looks for anomalies in PowerShell logs, specifically EventCode 4104, associated with script block logging. The analytic flags unusual or suspicious use patterns of key task-related cmdlets such as 'New-ScheduledTask', 'Set-ScheduledTask', and others, which are often used by attackers for persistence and remote execution of malicious code. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, PowerShell Script Block Logging needs to be enabled on some or all endpoints. Analysts should be aware of benign administrative tasks that can trigger alerts and tune the analytic accordingly to reduce false positives. Upon triage, review the PowerShell logs for any unusual or unexpected cmdlet usage, IP addresses, user accounts, or timestamps. If these factors align with known malicious behavior patterns, immediate mitigation steps, such as isolation of the affected systems, user account changes, and relevant threat hunting activities, should be initiated. This proactive analysis significantly enhances an organization's capacity to swiftly respond to, and potentially prevent, the execution of advanced persistent threats in their network. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.005", "T1059.001", "T1059"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1059.001", "T1059"], "nist": ["DE.AE"]} known_false_positives = Benign administrative tasks can also trigger alerts, necessitating a firm understanding of the typical system behavior and precise tuning of the analytic to reduce false positives. providing_technologies = ["Microsoft Windows"] @@ -13342,7 +13502,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects the use of the PowerShell script block logging mechanism to detect the use of the Win32_ScheduledJob WMI class. This class allows the creation and management of scheduled tasks on Windows systems. However, due to security concerns, the class has been disabled by default in Windows systems, and its use must be explicitly enabled by modifying the registry. As a result, the detection of the use of this class may indicate malicious activity, especially if the class was enabled on the system by the attacker. Therefore, it is recommended to monitor the use of Win32_ScheduledJob through PowerShell script block logging and to investigate any suspicious activity. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.CM"]} known_false_positives = False positives may be present based on legacy applications or utilities. Win32_ScheduledJob uses the Remote Procedure Call (RPC) protocol to create scheduled tasks on remote computers. It uses the DCOM (Distributed Component Object Model) infrastructure to establish a connection with the remote computer and invoke the necessary methods. The RPC service needs to be running on both the local and remote computers for the communication to take place. providing_technologies = ["Microsoft Windows"] @@ -13352,7 +13512,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of the Get-GPPPassword PowerShell commandlet employed to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1552", "T1552.006"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552", "T1552.006"], "nist": ["DE.CM"]} known_false_positives = Unknown providing_technologies = ["Microsoft Windows"] @@ -13362,7 +13522,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets `Get-ObjectAcl` or `Get-DomainObjectAcl`. This commandlets are used to enumerate Access Control List permissions given to Active Directory objects. In an active directory environment, an object is an entity that represents an available resource within the organizations network, such as domain controllers, users, groups, computers, shares, etc. Maintaining Active Directory permissions is complicated and hard to manage, especially in complex and large environments with multiple domains. Weak permissions may allow adversaries and red teamers to escalate their privileges in Active Directory. PowerView is a common tool leveraged by attackers to identify and exploit configuration weaknesses. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1078.002", "T1069"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.002", "T1069"], "nist": ["DE.CM"]} known_false_positives = Administrators may leverage PowerView for legitimate purposes, filter as needed. providing_technologies = ["Microsoft Windows"] @@ -13372,7 +13532,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify commandlets used by the PowerView hacking tool leveraged to discover Windows endpoints with Kerberos Constrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery. how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may leverage PowerView for system management or troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -13382,7 +13542,7 @@ asset_type = endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainSPNTicket` commandlets with specific parameters. This commandlet is a part of PowerView, a PowerShell tool used to perform enumeration and discovery on Windows Active Directory networks. As the name suggests, this commandlet is used to request the kerberos ticket for a specified service principal name (SPN). Once the ticket is received, it may be cracked using password cracking tools like hashcat to extract the password of the SPN account. Red Teams and adversaries alike may leverage PowerView and these commandlets to identify accounts that can be attacked with the Kerberoasting technique. how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.CM"]} known_false_positives = False positive may include Administrators using PowerView for troubleshooting and management. providing_technologies = ["Microsoft Windows"] @@ -13392,7 +13552,7 @@ asset_type = endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` or `Get-NetUSer` commandlets with specific parameters. These commandlets are part of PowerView, a PowerShell tool used to perform enumeration and discovery on Windows Active Directory networks. As the names suggest, these commandlets are used to identify domain users in a network and combining them with the `-SPN` parameter allows adversaries to discover domain accounts associated with a Service Principal Name (SPN). Red Teams and adversaries alike may leverage PowerView and these commandlets to identify accounts that can be attacked with the Kerberoasting technique. how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.CM"]} known_false_positives = False positive may include Administrators using PowerView for troubleshooting and management. providing_technologies = ["Microsoft Windows"] @@ -13402,7 +13562,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify commandlets used by the PowerView hacking tool leveraged to discover Windows endpoints with Kerberos Unconstrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery. how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} known_false_positives = Administrators or power users may leverage PowerView for system management or troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -13412,17 +13572,47 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process command line that retrieves information related to private keys files. This technique was seen in several post exploitation tools like winpeas that are being used by Ransomware Prestige to search for private key certificates on the compromised host for insecurely stored credentials. This files can be used by adversaries to gain privileges, persistence or remote service authentication to collect more sensitive information. Some private keys required password for operation, so in this case adversaries may need to have that passphrase either via keylogging or brute force attack. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1552.004", "T1552"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.004", "T1552"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] +[savedsearch://ESCU - Windows Privilege Escalation Suspicious Process Elevation - Rule] +type = detection +asset_type = Endpoint +confidence = medium +explanation = The following analytic detects when any low->high integrity level process running from a user account spawns an elevated (high/system integrity) process in a suspicious location or with system level process integrity. This behavior may indicate when a threat actor has successfully elevated privileges. +how_to_implement = Target environment must ingest process execution data sources such as Windows process monitoring and/or Sysmon EID 1. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068", "T1548", "T1134"], "nist": ["DE.CM"]} +known_false_positives = False positives may be generated by administrators installing benign applications using run-as/elevation. +providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] + +[savedsearch://ESCU - Windows Privilege Escalation System Process Without System Parent - Rule] +type = detection +asset_type = Endpoint +confidence = medium +explanation = The following analytic detects any system integrity level process that was spawned by a process not running as a system account. This behavior is often seen when attackers successfully escalate privileges to SYSTEM from a user controlled process or service. +how_to_implement = Target environment must ingest sysmon data, specifically Event ID 1 with process integrity and parent user data. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068", "T1548", "T1134"], "nist": ["DE.CM"]} +known_false_positives = Unknown +providing_technologies = null + +[savedsearch://ESCU - Windows Privilege Escalation User Process Spawn System Process - Rule] +type = detection +asset_type = Endpoint +confidence = medium +explanation = The following analytic detects when any process low->high integrity level process spawns a system integrity process from a user controlled location. This behavior is often seen when attackers successfully escalate privileges to SYSTEM from a user controlled process or service. +how_to_implement = Target environment must ingest sysmon data, specifically Event ID 15. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068", "T1548", "T1134"], "nist": ["DE.CM"]} +known_false_positives = Unknown +providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] + [savedsearch://ESCU - Windows Process Commandline Discovery - Rule] type = detection asset_type = Endpoint confidence = medium explanation = The following analytic detects Windows Management Instrumentation Command-line (WMIC) command used to retrieve information about running processes and specifically fetches the command lines used to launch those processes. This Hunting detection can be a good indicator for possible suspicious user or process getting list of process with its command line using wmic application which is not a common practice for a non-technical user. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1057"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1057"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13432,7 +13622,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a non-service searchindexer.exe process. QakBot, a notorious banking trojan and information stealer, often deploys a process named "searchindexer.exe" as part of its malicious activities. This legitimate Windows process, "Search Indexer," is manipulated by QakBot to masquerade and evade detection within the system. The malware uses this deceptive tactic to camouflage its presence, remaining inconspicuous while performing unauthorized actions like data exfiltration, keystroke logging, and communication with command and control servers. By adopting the guise of a genuine system process, the malicious "searchindexer.exe" process helps QakBot evade scrutiny and continue its malevolent operations without arousing suspicion. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13442,7 +13632,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes Sysmon to identify process injection into Notepad.exe, based on GrantedAccess requests - 0x40 and 0x1fffff. This particular behavior is attributed to the defaults of the SliverC2 framework by BishopFox. By default, the analytic filters out any SourceImage paths of System32, Syswow64 and program files. Add more as needed, or remove and monitor what is consistently injecting into notepad.exe. This particular behavior will occur from a source image that is the initial payload dropped. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055", "T1055.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055", "T1055.002"], "nist": ["DE.AE"]} known_false_positives = False positives may be present based on SourceImage paths. If removing the paths is important, realize svchost and many native binaries inject into notepad consistently. Restrict or tune as needed. providing_technologies = null @@ -13452,7 +13642,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies the suspicious Remote Thread execution of wermgr.exe process to "firefox.exe", "chrome.exe" and other known browsers. This technique was seen in Qakbot malware that executes its malicious code by injecting its code in legitimate Windows Operating System processes such as wermgr.exe to steal information in the compromised host. This TTP detection can be a good pivot to detect wermgr.exe process injected with qakbot code that tries to remote thread code execution in known browsers like firefox and edge which is not a common behavior of this wermgr.exe application. how_to_implement = To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055.001", "T1055"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055.001", "T1055"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -13462,7 +13652,7 @@ asset_type = 80 confidence = medium explanation = The following analytic identifies a suspicious remote thread execution in some process being abused by threat actor and malware like qakbot. Qakbot is one of the malware using this technique to load its malicious dll module or malicious code in the targeted host. This TTP can be a good pivot to verify what is the behavior of the targeted Image process after this detection trigger. look for network connection, child process execution, file access and many more that helps to verify the indication of malware infection. how_to_implement = To successfully implement this search, you must be ingesting data that records process activity from your hosts like remote thread EventCode=8 of sysmon. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055", "T1055.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055", "T1055.002"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -13472,7 +13662,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious wermgr.exe parent process having a child process not related to error, fault or windows werfault event. This technique was seen in Qakbot malware where it inject its malicious code in wermgr to evade detections and hide from the analyst to execute its recon and its malicious behavior. This Anomaly detection can be a good pivot to start investigating a possible qakbot infection in the network. The Wermgr.exe process is not known to have other child processes aside from itself or werfault.exe how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13482,7 +13672,7 @@ asset_type = 80 confidence = medium explanation = The following analytic identifies a process in a non-standard file path on Windows attempting to create a remote thread into a process. This Windows API,CreateRemoteThread, is commonly used by adversaries for process injection to evade detections or gain privilege escalation. how_to_implement = To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055", "T1055.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055", "T1055.002"], "nist": ["DE.AE"]} known_false_positives = Some security products or third party applications may utilize CreateRemoteThread, filter as needed before enabling as a notable. providing_technologies = null @@ -13492,7 +13682,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to look for process commandline that contains named pipe. This technique was seen in some adversaries, threat actor and malware like olympic destroyer to communicate to its other child processes after process injection that serve as defense evasion and privilege escalation. On the other hand this analytic may catch some normal process that using this technique for example browser application. In that scenario we include common process path we've seen during testing that cause false positive which is the program files. False positive may still be arise if the normal application is in other folder path. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.AE"]} known_false_positives = Normal browser application may use this technique. Please update the filter macros to remove false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13502,7 +13692,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic is to look for known processes killed by industroyer2 malware. This technique was seen in the industroyer2 malware attack that tries to kill several processes of windows host machines related to the energy facility network. This anomaly might be a good indicator to check which process kill these processes or why the process was killed. how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} known_false_positives = False positives are possible if legitimate applications are allowed to terminate this process during testing or updates. Filter as needed based on paths that are used legitimately. providing_technologies = null @@ -13512,7 +13702,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of Plink being utilized to proxy egress or laterally in an organization. The analytic is limited to specific Plink options on the command-line, including -R -L and -D which will have the remote and local IP address or port and -l for a username. Modify the options as seen fit for your organization. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1572", "T1021.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Exploitation"], "mitre_attack": ["T1572", "T1021.004"], "nist": ["DE.CM"]} known_false_positives = False positives may be present if the organization allows for SSH tunneling outbound or internally. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13522,7 +13712,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for processes launching netsh.exe for connection proxy. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1090.001", "T1090"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1090.001", "T1090"], "nist": ["DE.AE"]} known_false_positives = Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13532,7 +13722,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for processes launching netsh.exe for connection proxy. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1090.001", "T1090"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1090.001", "T1090"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13542,7 +13732,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious process accessing default internet browsers registry entry. This registry is used by Windows to store information about default internet browsers installed on a system. Malware, adversaries or red-teamers can abuse this registry key to collect data about the installed internet browsers and their associated settings. This information can be used to steal sensitive data such as login credentials, browsing history, and saved passwords. We observed noise that needs to be filter out so we add several known path of Windows Application to make this detection more stable. how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} known_false_positives = uninstall application may access this registry to remove the entry of the target application. filter is needed. providing_technologies = ["Microsoft Windows"] @@ -13552,7 +13742,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process execution of reg.exe with "save" parameter. This reg.exe parameter is commonly being abused by threat actors, adversaries and red-teamers to dump credentials or to check the registry modification capabilities of certain users or administrators in targeted hosts. This approach was seen in post-exploitation tool like winpeas where it uses "reg save" and "reg restore" to check registry modification restriction in targeted host after gaining access to it. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} known_false_positives = network administrator can use this command tool to backup registry before updates or modifying critical registries. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13562,7 +13752,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a suspicious query on uninstall application list in Windows OS registry. This registry is commonly used by legitimate software to store information about installed applications on a Windows system, such as their name, version, publisher, and installation path. However, malware, adversaries or even red-teamers can abuse this registry key to retrieve information stored in the "Uninstall" key to gather data about installed applications in the target host. This Anomaly detection can be a good pivot to detect a possible suspicious process accessing this registry which is not commonly accessed by a normal user. how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} known_false_positives = Uninstall application may access this registry to remove the entry of the target application. Filter is needed. providing_technologies = ["Microsoft Windows"] @@ -13572,7 +13762,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the Raccine Rules Updater scheduled task being deleted. Adversaries may attempt to remove this task in order to prevent the update of Raccine. Raccine is a "ransomware vaccine" created by security researcher Florian Roth, designed to intercept and prevent precursors and active ransomware behavior. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited, however filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13582,7 +13772,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic leverages Event ID 4624 to identify a source computer authenticating to a large number of remote endpoints within an Active Directory network. Specifically, the logic will trigger when a source endpoint authenticates to 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is moving laterally across the environment or enumerating network shares in the search for sensitive files. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} known_false_positives = Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -13592,7 +13782,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the Windows Windows Remote Auto Dialer, rasautou.exe executing an arbitrary DLL. This technique is used to execute arbitrary shellcode or DLLs via the rasautou.exe LOLBin capability. During triage, review parent and child process behavior including file and image loads. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055.001", "T1218", "T1055"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055.001", "T1218", "T1055"], "nist": ["DE.CM"]} known_false_positives = False positives will be limited to applications that require Rasautou.exe to load a DLL from disk. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13602,7 +13792,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to look for suspicious raw access read to device disk partition of the host machine. This technique was seen in several attacks by adversaries or threat actor to wipe, encrypt or overwrite the boot sector of each partition as part of their impact payload for example the "hermeticwiper" malware. This detection is a good indicator that there is a process try to read or write on boot sector. how_to_implement = To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1561.002", "T1561"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1561.002", "T1561"], "nist": ["DE.AE"]} known_false_positives = This event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. In this case we used 'system32' and 'syswow64' path as a filter for this detection. providing_technologies = null @@ -13612,7 +13802,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to look for suspicious raw access read to drive where the master boot record is placed. This technique was seen in several attacks by adversaries or threat actor to wipe, encrypt or overwrite the master boot record code as part of their impact payload. This detection is a good indicator that there is a process try to read or write on MBR sector. how_to_implement = To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1561.002", "T1561"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1561.002", "T1561"], "nist": ["DE.CM"]} known_false_positives = This event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. In this case we used 'system32' and 'syswow64' path as a filter for this detection. providing_technologies = null @@ -13622,7 +13812,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies successful remote desktop connections. Utilize this analytic to hunt for successful attempts. In addition, the query may be modified for EventCode=1148 to potentially identify failed attempts. In testing, 1148 would not generate based on a failed logon attempt. Note this analytic requires enabling and a stanza in a inputs.conf. how_to_implement = The following analyic requires the WIndows TerminalServices RemoteConnectionManager Operational log to be enabled and ingested into Splunk. For the inputs, review https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1563.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1563.002"], "nist": ["DE.AE"]} known_false_positives = False positives will be present, filter as needed or restrict to critical assets on the perimeter. providing_technologies = null @@ -13632,7 +13822,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic monitors the BootExecute registry key for any modifications from its default value, which could indicate potential malicious activity. The BootExecute registry key, located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager, manages the list of applications and services that are executed during system boot. By default, the BootExecute value is set to "autocheck autochk *". Attackers might attempt to modify this value to achieve persistence, load malicious code, or tamper with the system's boot process. how_to_implement = To successfully implement this search you need to be ingesting information on Windows Registry that include the name of the path and key responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1542", "T1547.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1542", "T1547.001"], "nist": ["DE.CM"]} known_false_positives = False positives may be present and will need to be filtered. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13642,7 +13832,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies installation of a root CA certificate by monitoring the registry. The base paths may be found [here](https://gist.github.com/mattifestation/75d6117707bcf8c26845b3cbb6ad2b6b/raw/ae65ef15c706140ffc2e165615204e20f2903028/RootCAInstallationDetection.xml). In short, there are specific certificate registry paths that will be written to (SetValue) when a new certificate is added. The high-fidelity events to pay attention to are SetValue events where the TargetObject property ends with "\Blob" as this indicates the direct installation or modification of a root certificate binary blob. The other high fidelity reference will be which process is making the registry modifications. There are very few processes that modify these day to day, therefore monitoring for all to start (hunting) provides a great beginning. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1553.004", "T1553"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.004", "T1553"], "nist": ["DE.AE"]} known_false_positives = False positives will be limited to a legitimate business applicating consistently adding new root certificates to the endpoint. Filter by user, process, or thumbprint. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13652,7 +13842,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process attempting to delete a scheduled task SD (Security Descriptor) from within the registry path of that task. This may occur from a non-standard process running and may not come from reg.exe. This particular behavior will remove the actual Task Name from the Task Scheduler GUI and from the command-line query - schtasks.exe /query. In addition, in order to perform this action, the user context will need to be SYSTEM.\ Identifying the deletion of a scheduled task's Security Descriptor from the registry is significant for a SOC as it may indicate malicious activity attempting to remove evidence of a scheduled task, potentially for defense evasion purposes. If a true positive is detected, it suggests an attacker with privileged access attempting to remove traces of their activities, which can have a significant impact on the security and functionality of affected systems. Immediate investigation and response are required to mitigate further risks and preserve the integrity of the environment. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.005", "T1562"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1562"], "nist": ["DE.AE"]} known_false_positives = False positives should be limited as the activity is not common to delete ONLY the SD from the registry. Filter as needed. Update the analytic Modified or Deleted values based on product that is in the datamodel. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13662,7 +13852,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a modification or registry add to the safeboot registry as an autostart mechanism. This technique is utilized by adversaries to persist a driver or service into Safe Mode. Two keys are monitored in this analytic, Minimal and Network. adding values to Minimal will load into Safe Mode and by adding into Network it will provide the service or drive the ability to perform network connections in Safe Mode. how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.CM"]} known_false_positives = updated windows application needed in safe boot may used this registry providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13672,7 +13862,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies when suspiciouly long data is written to the registry. This behavior is often associated with certain fileless malware threats or persistence techniques used by threat actors. Data stored in the registy is considered fileless since it does not get written to disk and is traditionally not well defended since normal users can modify thier own registry. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1027", "T1027.011"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027", "T1027.011"], "nist": ["DE.CM"]} known_false_positives = Unknown, possible custom scripting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13682,7 +13872,7 @@ asset_type = endpoint confidence = medium explanation = The following analytic detects modifications to the Windows Registry SIP Provider. It identifies this behavior by monitoring Sysmon Event ID 7, which logs registry modification events. The analytic specifically looks for changes in registry paths and values associated with Cryptography Providers and OID Encoding Types. This behavior is worth identifying as it may indicate an attempt to subvert trust controls, a technique often used by adversaries to bypass security measures and maintain persistence in an environment. If a true positive is found, it suggests an attacker is trying to manipulate the system's cryptographic functions, potentially leading to unauthorized access, data theft, or other damaging outcomes. Upon triage, review the registry paths and values modified, and look for concurrent processes to identify the attack source. Review the path of the SIP being added. This approach helps analysts detect potential threats earlier and mitigate the risks. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1553.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.003"], "nist": ["DE.CM"]} known_false_positives = Be aware of potential false positives - legitimate applications may cause benign activities to be flagged. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13692,7 +13882,7 @@ asset_type = Endpoint confidence = medium explanation = The following hunting analytic identifies renamed instances of regsv32.exe executing. regsv32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, validate if it is the legitimate regsv32.exe executing and what dll module content it is loading. This query relies on the original filename or internal name from the PE meta data. Expand the query as needed by looking for specific command line arguments outlined in other analytics. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.010", "T1218"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.010", "T1218"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13702,7 +13892,7 @@ asset_type = Endpoint confidence = medium explanation = The following anomaly detection identifies the behavior related to 4 native Windows DLLs being loaded by a non-standard process. Identified by MDSec during their research into Brute Ratel, MDSec identified a high signal analytic by calling out these 4 DLLs being loaded into a process. LogonCLI.dll is the Net Logon Client DLL and is related to users and other domain services to get authenticated. Credui.dll is Credential Manager User Interface. Credential managers receive notifications when authentication information changes. For example, credential managers are notified when a user logs on or an account password changes. Samcli.dll is the Security Accounts Manager Client DLL. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. Dbghelp.dll is Windows Image Helper. Windows Image Helper is commonly seen in credential dumping due to native functions. All of these modules are important to monitor and track and combined may lead to credentail access or dumping. how_to_implement = The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1219", "T1003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Exploitation"], "mitre_attack": ["T1219", "T1003"], "nist": ["DE.AE"]} known_false_positives = This module can be loaded by a third party application. Filter is needed. providing_technologies = null @@ -13712,7 +13902,7 @@ asset_type = Endpoint confidence = medium explanation = The following hunting analytic is meant to help organizations understand what remote access software is being used in the environment. When reviewing this hunt, confirm the software identified is authorized to be utilized. Based on fidelity, create a new analytic for specific utilities banned within the organization. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1219"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.AE"]} known_false_positives = False positives will be found. Filter as needed and create higher fidelity analytics based off banned remote access software. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13722,7 +13912,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic is to identify a modification or creation of Windows registry related to the Remote Manipulator System (RMS) Remote Admin tool. RMS is a legitimate tool developed by russian organization TektonIT and has been observed being abused by adversaries to gain remote access to the targeted host. Azorult malware utilized RMS to gain remote access. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1219"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1219"], "nist": ["DE.CM"]} known_false_positives = administrators may enable or disable this feature that may cause some false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13732,7 +13922,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of Microsoft Remote Assistance, msra.exe, spawning PowerShell.exe or cmd.exe as a child process. Msra.exe by default has no command-line arguments and typically spawns itself. It will generate a network connection to the remote system that is connected. This behavior is indicative of another process injected into msra.exe. Review the parent process or cross process events to identify source. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited, filter as needed. Add additional shells as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13742,7 +13932,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies an endpoint that remotely connects to another endpoint to create a new service using sc.exe. On the remote endpoint, the new service will be created and this action will trigger the creation of EventCode 7045 along with all the resulting service information. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.AE"]} known_false_positives = Note that false positives may occur, and filtering may be necessary, especially when it comes to remote service creation by administrators or software management utilities. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13752,7 +13942,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies RDPWInst.exe tool, which is a RDP wrapper library tool designed to enable remote desktop host support and concurrent RDP session on reduced functionality system. Unfortunately, this open project was abused by adversaries to enable RDP connection to the targeted host for remote access and potentially be for lateral movement. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} known_false_positives = This tool was designed for home usage and not commonly seen in production environment. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13762,7 +13952,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic is to identify a modification in the Windows firewall to enable remote desktop protocol on a targeted machine. This technique was seen in several adversaries, malware or red teamer to remotely access the compromised or targeted host by allowing this protocol in firewall. Even this protocol might be allowed in some production environment, This TTP behavior is a good pivot to check who and why the user want to enable this feature through firewall which is also common traits of attack to start lateral movement. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"]} known_false_positives = administrators may enable or disable this feature that may cause some false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13772,7 +13962,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic is to identify a modification in the Windows registry to enable remote desktop assistance on a targeted machine. This technique was seen in several adversaries, malware or red teamer like azorult to remotely access the compromised or targeted host by enabling this protocol in registry. Even this protocol might be allowed in some production environment, This Anomaly behavior is a good pivot to check who and why the user want to enable this feature through registry which is un-common. And as per stated in microsoft documentation the default value of this registry is false that makes this a good indicator of suspicious behavior. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"]} known_false_positives = administrators may enable or disable this feature that may cause some false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13782,7 +13972,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic is to identify a modification in the Windows registry to enable remote desktop protocol on a targeted machine. This technique was seen in several adversaries, malware or red teamer to remotely access the compromised or targeted host by enabling this protocol in registry. Even this protocol might be allowed in some production environment, This TTP behavior is a good pivot to check who and why the user want to enable this feature through registry which is un-common. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} known_false_positives = administrators may enable or disable this feature that may cause some false positive. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13792,7 +13982,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is developed to detect suspicious executable or script files created or dropped in the root drive of a targeted host. This technique is commonly used by threat actors, adversaries or even red teamers to replicate or spread in possible removable drives. Back then, WORM malware was popular for this technique where it would drop a copy of itself in the root drive to be able to spread or to have a lateral movement in other network machines. Nowadays, Ransomware like CHAOS ransomware also use this technique to spread its malicious code in possible removable drives. This TTP detection can be a good indicator that a process might create a persistence technique or lateral movement of a targeted machine. We suggest checking the process name that creates this event, the file created, user type, and the reason why that executable or scripts are dropped in the root drive. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1091"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Exploitation"], "mitre_attack": ["T1091"], "nist": ["DE.CM"]} known_false_positives = Administrators may allow creation of script or exe in the paths specified. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13802,7 +13992,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate root domain linked policies for situational awareness and Active Directory Discovery. how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Microsoft Windows"] @@ -13812,7 +14002,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious rundll32 commandline to update a user's system parameters related to desktop backgrounds, display settings, and visual themes. Specifically, it triggers the system to refresh and apply changes to the user-specific settings, such as wallpaper modifications or visual theme updates, ensuring that the changes take effect without the need to restart the system or log out and log back in. This technique was seen in Rhysida Ransomware and script as part of its defense evasion. This technique is not a common practice to lock a screen and maybe a good indicator of compromise. This command could also potentially be exploited by malware to disguise its activities or make unauthorized changes to a user's system settings without their knowledge or consent. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13822,7 +14012,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies rundll32.exe with the commandline arguments loading davclnt.dll function - davsetcookie - to be used to access a remote WebDav instance. This particular behavior was recently showcased in CVE-2023-23397. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} known_false_positives = False positives will be present based on legitimate software, filtering may need to occur. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13832,7 +14022,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies rundll32.exe with the commandline arguments loading davclnt.dll function - davsetcookie - to be used to access a remote WebDav instance. The analytic attempts to use join from Processes and All_Traffic to identify the network connection. This particular behavior was recently showcased in CVE-2023-23397. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} known_false_positives = False positives will be present based on legitimate software, filtering may need to occur. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13843,7 +14033,7 @@ confidence = medium explanation = The following analytic detects the creation of suspicious scheduled tasks in Windows, specifically tasks created using schtasks.exe with the -create flag and an XML parameter in the command-line. This technique is commonly employed by threat actors, adversaries, and red teamers to establish persistence or achieve privilege escalation on targeted hosts. Notably, malware like Trickbot and Winter-Vivern have been observed using XML files to create scheduled tasks. Monitoring and investigating this activity is crucial to mitigate potential security risks. It is important to be aware that scripts or administrators may trigger this analytic, leading to potential false positives. To minimize false positives, adjust the filter based on the parent process or application.\ When a true positive is detected, it suggests an attacker's attempt to gain persistence or execute additional malicious payloads, potentially resulting in data theft, ransomware, or other damaging outcomes. During triage, review the source of the scheduled task, the command to be executed, and capture any relevant on-disk artifacts. Analyze concurrent processes to identify the source of the attack. This analytic enables analysts to detect and respond to potential threats early, mitigating the associated risks effectively. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} known_false_positives = It is possible scripts or administrators may trigger this analytic. Filter as needed based on parent process, application. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13853,7 +14043,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies when the Task Scheduler service "svchost.exe -k netsvcs -p -s Schedule" is the parent process to common command line, scripting, or shell execution binaries. Attackers often abuse the task scheduler service with these binaries as an execution and persistence mechanism in order to blend in with normal Windows operations. This TTP is also commonly seen for legitimate purposes such as business scripts or application updates. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.005", "T1059"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1059"], "nist": ["DE.CM"]} known_false_positives = Unknown, possible custom scripting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13864,7 +14054,7 @@ confidence = medium explanation = The following analytic detects the creation of a new task with the highest execution privilege via Schtasks.exe. This tactic is often observed in AsyncRAT attacks, where the scheduled task is used for persistence and privilege escalation. AsyncRAT sets up a scheduled task with parameters '/rl' and 'highest', triggering this technique. It's a strong indicator of potential malware or adversaries seeking to establish persistence and escalate privileges through scheduled tasks. This is crucial for a Security Operations Center (SOC) as it can prevent unauthorized system access and potential data breaches.\ The analytic works by monitoring logs for process name, parent process, and command-line executions. In the presence of the '*/rl ' and ' highest *' commands in a schtasks.exe process, an alert is triggered. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} known_false_positives = False positives may arise from legitimate applications that create tasks to run as SYSTEM. Therefore, it's recommended to adjust filters based on parent process or modify the query to include world writable paths for restriction. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13874,7 +14064,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the creation of a new task to start and run as an elevated user - SYSTEM using Schtasks.exe. This behavior is commonly used by adversaries to spawn a process in an elevated state. If a true positive is found, it suggests an attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} known_false_positives = False positives will be limited to legitimate applications creating a task to run as SYSTEM. Filter as needed based on parent process, or modify the query to have world writeable paths to restrict it. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13884,7 +14074,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a potential PowerShell script that captures screen images on compromised or targeted hosts. This technique was observed in the Winter-Vivern malware, which attempts to capture desktop screens using a PowerShell script and send the images to its C2 server as part of its exfiltration strategy. This TTP serves as a useful indicator that a PowerShell process may be gathering desktop screenshots from a host system, potentially signaling malicious activity. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Microsoft Windows"] @@ -13894,7 +14084,7 @@ asset_type = Endpoint confidence = medium explanation = The search looks for a Windows Security Account Manager (SAM) was stopped via command-line. This is consistent with Ryuk infections across a fleet of endpoints. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} known_false_positives = SAM is a critical windows service, stopping it would cause major issues on an endpoint this makes false positive rare. AlthoughNo false positives have been identified. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13904,7 +14094,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process command line related to the discovery of possible Security Support Providers in the registry. This technique is being abused by adversaries or post exploitation tools like winpeas to gather LSA protection and configuration in the registry in the targeted host. This registry entry can contain several information related to LSA that validates users for local and remote sign-ins and enforces local security policies. Understanding LSA protection may give a good information in accessing LSA content in memory which is commonly attack by adversaries and tool like mimikatz to scrape password hashes or clear plain text passwords. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.005", "T1547"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.005", "T1547"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13914,7 +14104,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the Windows SDK utility - GACUtil.exe, being utilized to add a DLL into the Global Assembly Cache (GAC). Each computer where the Common Language Runtime is installed has a machine-wide code cache called the Global Assembly Cache. The Global Assembly Cache stores assemblies specifically designated to be shared by several applications on the computer. By adding a DLL to the GAC, this allows an adversary to call it via any other means across the operating systems. As outlined by Microsoft in their blog, it is not common to see this spawning from W3WP.exe, however, in a non-development environment it may not be common at all. Note that in order to utilize GACutil.exe, The Windows SDK must be installed, this is not a native binary. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.004"], "nist": ["DE.CM"]} known_false_positives = False positives may be present if gacutil.exe is utilized day to day by developers. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13924,7 +14114,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifes a new kernel driver being added to Windows using sc.exe. Adding a Kernel driver is not common day to day and should be investigated to further understand the source. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1543.003", "T1543", "T1068"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.003", "T1543", "T1068"], "nist": ["DE.CM"]} known_false_positives = False positives may be present based on common applications adding new drivers, however, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13934,7 +14124,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies RemComSvc installed on an endpoint. This typically occurs when someone is moving laterally with RemCom.exe. how_to_implement = To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.AE"]} known_false_positives = False positives may be present, filter as needed based on administrative activity. providing_technologies = null @@ -13944,7 +14134,7 @@ asset_type = Endpoint confidence = medium explanation = When an adversary utilizes SliverC2 to laterally move with the Psexec module, it will create a service with the name and description of "Sliver" and "Sliver Implant". Note that these may be easily changed and are specific to only SliverC2. We have also created the same regex as Microsoft has outlined to attempt to capture the suspicious service path (regex101 reference). how_to_implement = To implement this analytic, the Windows EventCode 7045 will need to be logged from the System Event log. The Windows TA for Splunk is also recommended. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited, but if another service out there is named Sliver, filtering may be needed. providing_technologies = null @@ -13954,7 +14144,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects potential RDP Hijacking attempts by monitoring a series of actions taken by an attacker to gain unauthorized access to a remote system. The attacker first runs the quser command to query the remote host for disconnected user sessions. Upon identifying a disconnected session, they use the sc.exe command to create a new Windows service with a binary path that launches tscon.exe. By specifying the disconnected session ID and a destination ID, the attacker can transfer the disconnected session to a new RDP session, effectively hijacking the user's session. This analytic allows security teams to detect and respond to RDP Hijacking attempts, mitigating potential risks and impacts on targeted systems. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1563.002", "T1563", "T1543.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1563.002", "T1563", "T1543.003"], "nist": ["DE.CM"]} known_false_positives = False positives may arise in the RDP Hijacking analytic when legitimate administrators access remote sessions for maintenance or troubleshooting purposes. These activities might resemble an attacker''s attempt to hijack a disconnected session, leading to false alarms. To mitigate the risk of false positives and improve the overall security posture, organizations can implement Group Policy to automatically disconnect RDP sessions when they are complete. By enforcing this policy, administrators ensure that disconnected sessions are promptly terminated, reducing the window of opportunity for an attacker to hijack a session. Additionally, organizations can also implement access control mechanisms and monitor the behavior of privileged accounts to further enhance security and reduce the chances of false positives in RDP Hijacking detection. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13964,7 +14154,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytics uses Windows Event Id 7045, `New Service Was Installed`, to identify the creation of a Windows Service where the service binary path path is located in a non-common Service folder in Windows. Red Teams and adversaries alike may create malicious Services for lateral movement or remote code execution as well as persistence and execution. The Clop ransomware has also been seen in the wild abusing Windows services. how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.CM"]} known_false_positives = Legitimate applications may install services with uncommon services paths. providing_technologies = null @@ -13974,7 +14164,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytc uses Windows Event Id 7045, `New Service Was Installed`, to identify the creation of a Windows Service where the service binary path is located in public paths. This behavior could represent the installation of a malicious service. Red Teams and adversaries alike may create malicious Services for lateral movement or remote code execution how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"]} known_false_positives = Legitimate applications may install services with uncommon services paths. providing_technologies = null @@ -13984,7 +14174,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `sc.exe` with command-line arguments utilized to create a Windows Service on a remote endpoint. Red Teams and adversaries alike may abuse the Service Control Manager for lateral movement and remote code execution. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"]} known_false_positives = Administrators may create Windows Services on remote systems, but this activity is usually limited to a small set of hosts or users. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -13994,7 +14184,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects when reg.exe modify registry keys that define Windows services and their configurations in Windows to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that searches for specific keywords in the process name, parent process name, user, and process ID. This detection is important because it suggests that an attacker has modified the registry keys that define Windows services and their configurations, which can allow them to maintain access to the system and potentially move laterally within the network. It is a common technique used by attackers to gain persistence on a compromised system and its impact can lead to data theft, ransomware, or other damaging outcomes. False positives can occur since legitimate uses of reg.exe to modify registry keys for Windows services can also trigger this alert. Next steps include reviewing the process and user context of the reg.exe activity and identify any other concurrent processes that might be associated with the attack upon triage. how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1574.011"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.011"], "nist": ["DE.CM"]} known_false_positives = Third party tools may used this technique to create services but not so common. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14004,7 +14194,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a service being deleted from the Windows Registry under CurrentControlSet\Services. Adversaries may delete a service as part of defense evasion. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} known_false_positives = This event can be seen when administrator delete a service or uninstall/reinstall a software that creates service entry, but it is still recommended to check this alert with high priority. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14014,7 +14204,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `sc.exe` with command-line arguments utilized to start a Windows Service on a remote endpoint. Red Teams and adversaries alike may abuse the Service Control Manager for lateral movement and remote code execution. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"]} known_false_positives = Administrators may start Windows Services on remote systems, but this activity is usually limited to a small set of hosts or users. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14024,7 +14214,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies Windows Service Control, `sc.exe`, attempting to delete a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique to terminate security services or other related services to continue there objective and evade detections. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} known_false_positives = It is possible administrative scripts may start/stop/delete services. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14034,7 +14224,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies suspicious attempts to stop services on a system using either `net.exe` or `sc.exe`. This technique is used by adversaries to terminate security services or other related services to continue their objective and evade detections. This technique is also commonly used by ransomware threat actors to successfully encrypt databases or files being processed or used by Windows OS Services. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} known_false_positives = Windows OS or software may stop and restart services due to some critical update. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14044,7 +14234,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a windows update service being disabled in Windows OS. This technique is being abused by adversaries or threat actors to add defense mechanisms to their malware implant in the targeted host. Disabling windows update will put the compromised host vulnerable in some zero day exploit or even some update features against threats. RedLine Stealer kills this service as part of its defense evasion mechanism. how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints (like Windows system.log Event ID 7040) -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} known_false_positives = Network administrator may disable this services as part of its audit process within the network. Filter is needed. providing_technologies = null @@ -14054,7 +14244,7 @@ asset_type = endpoint confidence = medium explanation = The following inventory analytic is used with a PowerShell scripted inputs to capture all SIP providers on a Windows system. This analytic is used to identify potential malicious SIP providers that may be used to subvert trust controls. Upon review, look for new and non-standard paths for SIP providers. how_to_implement = To implement this analytic, one must first perform inventory using a scripted inputs. Review the following Gist - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1 -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1553.003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.003"], "nist": ["DE.AE"]} known_false_positives = False positives are limited as this is a hunting query for inventory. providing_technologies = null @@ -14064,7 +14254,7 @@ asset_type = endpoint confidence = medium explanation = The following analytic utilizes a Windows Event Log - CAPI2 - or CryptoAPI 2, to identify failed trust validation. Typically, this event log is meant for diagnosing PKI issues, however is a great source to identify failed trust validation. Note that this event log is noisy as it captures common PKI requests from many different processes. EventID 81 is generated anytime a trust validation fails. The description for EventID 81 is "The digital signature of the object did not verify." STRT tested this analytic using Mimikatz binary. how_to_implement = To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational log within the Windows Event Log. Note this is a debug log for many purposes, and the analytic only focuses in on EventID 81. Review the following gist for additional enabling information. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1553.003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.003"], "nist": ["DE.AE"]} known_false_positives = False positives may be present in some instances of legitimate binaries with invalid signatures. Filter as needed. providing_technologies = null @@ -14074,7 +14264,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identfies a .crmlog written to windows\registration. Per the report, typically, this file has been found within the %windows%\Registration directory with the format of ..crmlog and is decrypted by Snake's kernel driver. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1027"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.CM"]} known_false_positives = False positives may be present as the file pattern does match legitimate files on disk. It is possible other native tools write the same file name scheme. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14084,7 +14274,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the comadmin.dat file written to disk, which is related to Snake Malware. From the report, Snakes installer drops the kernel driver and a custom DLL which is used to load the driver into a single AES encrypted file on disk. Typically, this file is named comadmin.dat and is stored in the %windows%\system32\Com directory. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.006"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.006"], "nist": ["DE.CM"]} known_false_positives = False positives may be present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14094,7 +14284,7 @@ asset_type = Endpoint confidence = medium explanation = The follow analytic identifies the registry being modified at .wav\\OpenWithProgIds\, which is related to the Snake Malware campaign. Upon execution, Snake's WerFault.exe will attempt to decrypt an encrypted blob within the Windows registry that is typically found at HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds. The encrypted data includes the AES key, IV, and path that is used to find and decrypt the file containing Snake's kernel driver and kernel driver loader. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} known_false_positives = False positives may be present and will require tuning based on program Ids in large organizations. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14104,17 +14294,27 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a new service WerFaultSvc being created with a binary path located in the windows winsxs path. Per the report, the Snake version primarily discussed in this advisory registers a service to maintain persistence on a system. Typically this service is named WerFaultSvc which we assess was used to blend in with the legitimate Windows service WerSvc. On boot, this service will execute Snakes WerFault.exe, which Snake developers chose to hide among the numerous valid Windows WerFault.exe files in the windows WinSxS directory. Executing WerFault.exe will start the process of decrypting Snakes components and loading them into memory. how_to_implement = To successfully implement this search, you need to be ingesting Windows System logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.006", "T1569.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.006", "T1569.002"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited as this is a strict primary indicator used by Snake Malware. providing_technologies = null +[savedsearch://ESCU - Windows SOAPHound Binary Execution - Rule] +type = detection +asset_type = Endpoint +confidence = medium +explanation = The following analytic identifies the common command-line argument used by SOAPHound `soaphound.exe`. Being the script is publicly available, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. It does not cover the entirety of every argument in order to avoid false positives. +how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} +known_false_positives = False positives should be limited as the command-line arguments are specific to SOAPHound. Filter as needed. +providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] + [savedsearch://ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule] type = detection asset_type = Endpoint confidence = medium explanation = this detection was designed to identifies suspicious office documents that connect to a website aside from Microsoft Office Domain. This technique was seen in several malicious documents that abuses .rels xml properties of MS office to connect or download malicious files. This hunting query can be a good pivot or guide to check what URL link it tries to connect, what domain, where the documents came from and how the connection happens. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} known_false_positives = Windows Office document may contain legitimate url link other than MS office Domain. filter is needed providing_technologies = null @@ -14124,7 +14324,7 @@ asset_type = Endpoint confidence = medium explanation = The following detection identifies the latest behavior utilized by different malware families (including TA551, AsyncRat, Redline and DCRAT). This detection identifies onenote Office Product spawning `mshta.exe`. In malicious instances, the command-line of `mshta.exe` will contain the `hta` file locally, or a URL to the remote destination. In addition, Threat Research has released a detections identifying suspicious use of `mshta.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `mshta.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.CM"]} known_false_positives = No false positives known. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14134,7 +14334,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic leverages Event ID 4672 to identify a source user authenticating with special privileges across a large number remote endpoints. Specifically, the logic will trigger when a source user obtains special privileges across 30 or more target computers within a 5 minute timespan. Special privileges are assigned to a new logon session when sensitive privileges like SeDebugPrivilege and SeImpersonatePrivilege are assigned. This behavior could represent an adversary who is moving laterally and executing remote code across the network. It can also be triggered by other behavior like an adversary enumerating network shares. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. how_to_implement = To successfully implement this search, you need to be ingesting special logon events. The Advanced Security Audit policy setting `Audit Special Logon` within `Logon/Logoff` need to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087", "T1021.002", "T1135"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1021.002", "T1135"], "nist": ["DE.CM"]} known_false_positives = Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed. providing_technologies = ["Microsoft Windows"] @@ -14144,7 +14344,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects the use of certutil to download software, a behavior exhibited by the threat actor Flax Typhoon. This actor deploys a VPN connection by downloading an executable file for SoftEther VPN from their network infrastructure using one of several LOLBins, including certutil. The actor then uses the Service Control Manager (SCM) to create a Windows service that launches the VPN connection automatically when the system starts. This behavior allows the actor to monitor the availability of the compromised system and establish an RDP connection. This analytic identifies this behavior by monitoring for the use of certutil in conjunction with the downloading of software. This behavior is worth identifying for a SOC as it indicates a potential compromise of the system and the establishment of a persistent threat. If a true positive is found, it suggests an attacker has gained access to the environment and is attempting to maintain that access, potentially leading to further malicious activities such as data theft or ransomware attacks. Be aware of potential false positives - legitimate uses of certutil in your environment may cause benign activities to be flagged. Upon triage, review the command executed and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} known_false_positives = The occurrence of false positives should be minimal, given that the SQL agent does not typically download software using CertUtil. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14154,7 +14354,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies when a new certificate is requested and/or granted against the Active Directory Certificate Services (AD CS) using a Subject Alternative Name (SAN). This action by its self is not malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1) how_to_implement = To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1649"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.CM"]} known_false_positives = False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names. Sources or templates used in these processes may need to be tuned out for accurate function. providing_technologies = ["Microsoft Windows"] @@ -14164,7 +14364,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies when a suspicious certificate is granted using Active Directory Certificate Services (AD CS) with a Subject Alternative Name (SAN) and then immediately used for authentication. This action alone may not be malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1). how_to_implement = To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1649", "T1550"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649", "T1550"], "nist": ["DE.CM"]} known_false_positives = False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names for authentication. Sources or templates used in these processes may need to be tuned out for accurate function. providing_technologies = ["Microsoft Windows"] @@ -14174,7 +14374,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies when a new certificate is issued against the Certificate Services - AD CS. By its very nature this is not malicious, but should be tracked and correlated with other events related to certificates being issued. When the CA issues the certificate, it creates EID 4887 'Certificate Services approved a certificate request and issued a certificate". The event supplies the requester user context, the DNS hostname of the machine they requested the certificate from, and the time they requested the certificate. The attributes fields in these event commonly has values for CDC, RMD, and CCM which correspond to Client DC, Request Machine DNS name, and Cert Client Machine, respectively. how_to_implement = To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} known_false_positives = False positives will be generated based on normal certificates issued. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. providing_technologies = ["Microsoft Windows"] @@ -14184,7 +14384,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies when a new certificate is requested against the Certificate Services - AD CS. By its very nature this is not malicious, but should be tracked and correlated with other events related to certificate requests. When an account requests a certificate, the CA generates event ID (EID) 4886 "Certificate Services received a certificate request". how_to_implement = To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} known_false_positives = False positives will be generated based on normal certificate requests. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. providing_technologies = ["Microsoft Windows"] @@ -14194,7 +14394,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic is focused on CertUtil.exe performing a backup of the Certificate Store. Typically, administrators may perform this task to migrate or perform backups of the store, however it may be found uncommon in most organizations. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} known_false_positives = False positives will be generated based on normal certificate store backups. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. If CS backups are not normal, enable as TTP. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14204,7 +14404,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes a Windows Event Log - CAPI2 - or CryptoAPI 2, to identify suspicious certificate extraction. Typically, this event log is meant for diagnosing PKI issues, however is a great source to identify certificate exports. Note that this event log is noisy as it captures common PKI requests from many different processes. EventID 70 is generated anytime a certificate is exported. The description for EventID 70 is "Acquire Certificate Private Key". STRT tested this analytic using Mimikatz binary and the implementation of Mimikatz in Cobalt Strike. how_to_implement = To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational log within the Windows Event Log. Note this is a debug log for many purposes, and the analytic only focuses in on EventID 70. Review the following gist for additional enabling information. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} known_false_positives = False positives may be present in some instances of legitimate applications requiring to export certificates. Filter as needed. providing_technologies = null @@ -14214,7 +14414,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies when the Active Directory Certificate Services store is backed up utilizing Event ID 4876. This event triggers whenever the backup occurs in the UI of CertSrv.msc or via CertUtil.exe -BackupDB occurs. how_to_implement = To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 128 of first reference. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} known_false_positives = False positives will be generated based on normal certificate store backups. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. If CS backups are not normal, enable as TTP. providing_technologies = ["Microsoft Windows"] @@ -14224,7 +14424,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of export-certificate, the PowerShell cmdlet, being utilized on the command-line in an attempt to export the certifcate from the local Windows Certificate Store. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} known_false_positives = Filtering may be requried based on automated utilities and third party applications that may export certificates. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14234,7 +14434,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the use of export-pfxcertificate, the PowerShell cmdlet, being utilized on the command-line in an attempt to export the certifcate from the local Windows Certificate Store. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} known_false_positives = Filtering may be requried based on automated utilities and third party applications that may export certificates. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14244,7 +14444,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process execution of Windows OS klist.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to display or gather list of currently cached kerberos ticket. This cahced data can be used for lateral movement or even privilege escalation on the targeted host. This hunting query can be a good pivot in possible kerberos attack or pass the hash technique. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1558"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14254,7 +14454,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies executables running from public or temporary locations that are communicating over windows domain authentication ports/protocol. The ports/protocols include LDAP(389), LDAPS(636), and Kerberos(88). Authentications from applications running from user controlled locations may not be malicious, however actors often attempt to access domain resources after initial compromise from executables in these locations. how_to_implement = To implement this analytic, Sysmon should be installed in the environment and generating network events for userland and/or known public writable locations. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1087", "T1087.002", "T1204", "T1204.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1087", "T1087.002", "T1204", "T1204.002"], "nist": ["DE.AE"]} known_false_positives = Known applications running from these locations for legitimate purposes. Targeting only kerberos (port 88) may significantly reduce noise. providing_technologies = null @@ -14264,7 +14464,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the decompile parameter with the HTML Help application, HH.exe. This is a uncommon command to see ran and behavior. Most recently this was seen in a APT41 campaign where a CHM file was delivered and a script inside used a technique for running an arbitrary command in a CHM file via an ActiveX object. This unpacks an HTML help file to a specified path for launching the next stage. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.001", "T1218"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.001", "T1218"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14274,7 +14474,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the execution of nslookup.exe tool to get domain information. Nslookup.exe is a command-line tool that can display information to diagnose domain name systems. This Nslookup feature is being abused by Qakbot malware to gather domain information such as SRV service location records, server name and many more. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} known_false_positives = dministrator may execute this commandline tool for auditing purposes. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14284,7 +14484,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the execution of qwinsta.exe executable in Windows Operating System. This Windows executable file can display information about sessions on a remote desktop session host server. The information includes servername, sessionname, username and many more. This tool is being abused of Qakbot malware to gather information to the targeted or compromised host that will be send back to its Command And Control server. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} known_false_positives = Administrator may execute this commandline tool for auditing purposes. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14294,7 +14494,7 @@ asset_type = Endpoint confidence = medium explanation = The following hunting analytic will assist with identifying new .sys files introduced in the environment. This query is meant to identify sys file creates on disk. There will be noise, but reducing common process names or applications should help to limit any volume. The idea is to identify new sys files written to disk and identify them before they're added as a new kernel mode driver. how_to_implement = To successfully implement this search you need to be ingesting information on files from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. In addition, filtering may occur by adding NOT (Filesystem.file_path IN ("*\\Windows\\*", "*\\Program File*", "*\\systemroot\\*","%SystemRoot%*", "system32\*")). This will level out the noise generated to potentally lead to generating notables. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1068"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.AE"]} known_false_positives = False positives will be present. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14304,7 +14504,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies Windows commandline to logoff a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to logoff a machine. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1529"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.AE"]} known_false_positives = Administrator may execute this commandline to trigger shutdown, logoff or restart the host machine. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14314,7 +14514,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process command line that retrieves dns reply information using Windows OS built-in tool IPConfig. This technique is being abused by threat actors, adversaries and post exploitation tools like WINPEAS to retrieve DNS information for the targeted host. This IPConfig parameter (/displaydns) can show dns server resource record, record name, record type, time to live data length and dns reply. This hunting detection can be a good pivot to check which process is executing this command line in specific host system that may lead to malware or adversaries gathering network information. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1016"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14324,7 +14524,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process execution of Windows OS built-in tool netsh.exe to show state, configuration and profile of host firewall. This tool is being used or abused by several adversaries or even post exploitation tool to bypass firewall rules or to discover firewall settings. This hunting detection can help to detect a possible suspicious usage of netsh.exe to retrieve firewall settings or even firewall wlan profile. We recommend checking which parent process and process name execute this command. Also check the process file path for verification that may lead to further TTP's threat behavior. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} known_false_positives = network administrator can use this tool for auditing process. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14334,7 +14534,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies Windows commandline to reboot a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to reboot a machine. Compare to shutdown and logoff shutdown.exe feature, reboot seen in some automation script like ansible to reboot the machine. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1529"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.AE"]} known_false_positives = Administrator may execute this commandline to trigger shutdown or restart the host machine. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14344,7 +14544,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the abuse of Syncappvpublishingserver.vbs, which is a native script on Windows that may be utilized to download remote files or perform privilege escalation. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1216", "T1218"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1216", "T1218"], "nist": ["DE.CM"]} known_false_positives = False positives may be present if the vbscript syncappvpublishingserver is used for legitimate purposes. Filter as needed. Adding a n; to the command-line arguments may help reduce any noise. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14354,7 +14554,7 @@ asset_type = Endpoint confidence = medium explanation = This detection rule is designed to identify the execution of the Windows shutdown command via command line interface. The shutdown command can be utilized by system administrators to properly halt, power off, or reboot a computer. However, in a security context, attackers who have gained unauthorized access to a system may also use this command in an effort to erase tracks, or to cause disruption and denial of service. In some instances, they might execute the shutdown command after installing a backdoor, to force the system to restart, ensuring that changes take effect or evading detection by security tools. Monitoring for the use of the Windows shutdown command, especially in conjunction with other unusual or unauthorized activities, can be an important part of identifying malicious behavior within a network. It is advised that security professionals analyze the context in which the shutdown command is being executed to differentiate between legitimate administrative functions and potentially malicious activity. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1529"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.AE"]} known_false_positives = Administrator may execute this commandline to trigger shutdown or restart the host machine. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14364,7 +14564,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies DCRat delay time tactics using w32tm. This technique was seen in DCRAT malware where it uses stripchart function of w32tm.exe application to delay the execution of its payload like c2 communication , beaconing and execution. This anomaly detection may help the analyst to check other possible event like the process who execute this command that may lead to DCRat attack. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1124"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1124"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14374,7 +14574,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a process execution of Windows OS quser.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to display or gather information about user sessions on a Remote Desktop Session Host server. This command can find out if a specific user is logged on to a specific Remote Desktop Session Host server. This tool can retrieve some RDP information that can be use by attacker for further attack like Name of the user , Name of the session on the Remote Desktop Session Host server, Session ID, State of the session (active or disconnected), Idle time (the number of minutes since the last keystroke or mouse movement at the session) and Date and time the user logged on. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} known_false_positives = network administrator can use this command tool to audit RDP access of user in specific network or host. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14384,7 +14584,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic looks for the execution of `whoami.exe` with /priv parameter. This whoami command is used to display or shows the privileges assigned to the current user account. This hunting query can be a good pivot start to look for suspicious usage of whoami application that might related to a malware or adversaries. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14394,7 +14594,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to detect a suspicious process terminating Lsass process. Lsass process is known to be a critical process that is responsible for enforcing security policy system. This process was commonly targetted by threat actor or red teamer to gain privilege escalation or persistence in the targeted machine because it handles credentials of the logon users. In this analytic we tried to detect a suspicious process having a granted access PROCESS_TERMINATE to lsass process to modify or delete protected registrys. This technique was seen in doublezero malware that tries to wipe files and registry in compromised hosts. This anomaly detection can be a good pivot of incident response for possible credential dumping or evading security policy in a host or network environment. how_to_implement = This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} known_false_positives = unknown providing_technologies = null @@ -14404,7 +14604,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is designed to detect potentially malicious processes that initiate a ping delay using an invalid IP address. This evasion technique was observed in NJRAT, where the malware employed ping commands as a means to introduce a time delay before self-deletion on the compromised host. Identifying this (TTP) behavior can serve as a valuable indicator for detecting NJRAT infections or other malware that employ time delays as evasion tactics. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1497", "T1497.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1497", "T1497.003"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14414,7 +14614,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects when an executable known for User Account Control bypass exploitation, spawns a child process in user controlled location or a command shell executable (cmd, powershell, etc). This behavioral chain may indicate that an attacker has used a UAC Bypass exploit to successfully escalate privileges. how_to_implement = Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548", "T1548.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548", "T1548.002"], "nist": ["DE.CM"]} known_false_positives = Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14424,7 +14624,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects when a process spawns an executable known for User Account Control bypass exploitation, and then monitors for any subsequent child processes that are above the integrity level of the original spawning process. This behavioral chain may indicate that an attacker has used a UAC Bypass exploit to successfully escalate privileges. how_to_implement = Target environment must ingest sysmon data, specifically Event ID 1 with process integrity level data. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548", "T1548.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548", "T1548.002"], "nist": ["DE.CM"]} known_false_positives = Including Werfault.exe may cause some unintended false positives related to normal application faulting, but is used in a number of UAC bypass techniques. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14434,7 +14634,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic focuses on detecting potentially malicious unsigned DLLs created in either the c:\windows\system32 or c:\windows\syswow64 folders. This particular technique was observed in the context of the Warzone (Ave Maria) RAT, where it employed a method known as DLL hijacking (dll-side-loading) by dropping the "dismcore.dll" to achieve privilege escalation. DLL hijacking is a stealthy attack technique used by cybercriminals to exploit the way Windows searches and loads DLLs. By placing a malicious DLL with the same name as one that a legitimate application is expected to load, the attacker can gain unauthorized access and execute malicious code. In the case of Warzone RAT (Ave Maria), the dropped "dismcore.dll" was intended to deceive the system into loading the rogue DLL instead of the legitimate version, thereby granting the malware elevated privileges and enabling further compromise of the target system. Detecting such suspicious DLLs is crucial in preventing privilege escalation attacks and other potential security breaches. Regular security assessments, thorough monitoring, and implementing security best practices are essential in safeguarding systems from such threats. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1574.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002"], "nist": ["DE.AE"]} known_false_positives = It is possible some Administrative utilities will load dismcore.dll outside of normal system paths, filter as needed. providing_technologies = null @@ -14447,7 +14647,7 @@ The detection calculates the standard deviation for each host and leverages the This detection will only trigger on domain controllers, not on member servers or workstations.\ The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} known_false_positives = A host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems. providing_technologies = ["Microsoft Windows"] @@ -14460,7 +14660,7 @@ The detection calculates the standard deviation for each host and leverages the This detection will only trigger on domain controllers, not on member servers or workstations.\ The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} known_false_positives = A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems. providing_technologies = ["Microsoft Windows"] @@ -14473,7 +14673,7 @@ The detection calculates the standard deviation for each host and leverages the This detection will only trigger on domain controllers, not on member servers or workstations.\ The analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts. how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} known_false_positives = A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts. providing_technologies = ["Microsoft Windows"] @@ -14486,7 +14686,7 @@ The detection calculates the standard deviation for each host and leverages the This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed.\ The analytics returned fields allow analysts to investigate the event further by providing fields like source account, attempted user accounts and the endpoint were the behavior was identified. how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} known_false_positives = A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc. providing_technologies = ["Microsoft Windows"] @@ -14499,7 +14699,7 @@ The detection calculates the standard deviation for each host and leverages the This detection will only trigger on domain controllers, not on member servers or workstations.\ The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts. how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} known_false_positives = A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, missconfigured systems and multi-user systems like Citrix farms. providing_technologies = ["Microsoft Windows"] @@ -14512,7 +14712,7 @@ The detection calculates the standard deviation for each host and leverages the This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. This could be a domain controller as well as a member server or workstation.\ The analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts. how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers aas well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} known_false_positives = A process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. providing_technologies = ["Microsoft Windows"] @@ -14525,7 +14725,7 @@ The detection calculates the standard deviation for each host and leverages the This detection will only trigger on domain controllers, not on member servers or workstations.\ The analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts. how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} known_false_positives = A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts. providing_technologies = ["Microsoft Windows"] @@ -14538,7 +14738,7 @@ The detection calculates the standard deviation for each host and leverages the This detection will trigger on the host that is the target of the password spraying attack. This could be a domain controller as well as a member server or workstation.\ The analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts. how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.003", "T1110"], "nist": ["DE.AE"]} known_false_positives = A host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc. providing_technologies = ["Microsoft Windows"] @@ -14548,7 +14748,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic will identify suspicious creation of URL shortcut link files. This technique was seen in CHAOS ransomware where it will drop this .url link file in %startup% folder that contains the path of its malicious dropped file to execute upon the reboot of the targeted host. The creation of this file can be created by a normal application or software but it is a good practice to verify this type of file specially the resource it tries to execute which is commonly a website. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1204.002", "T1204"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.002", "T1204"], "nist": ["DE.CM"]} known_false_positives = Administrators may allow creation of script or exe in this path. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14558,7 +14758,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies net.exe updating user account policies for password requirement with non-expiring password. This technique was seen in several adversaries and malware like Azorult to maintain the foothold (persistence), gaining privilege escalation, defense evasion and possible for lateral movement for specific users or created user account on the targeted host. This TTP detections is a good pivot to see further what other events that users executes on the machines. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} known_false_positives = This behavior is not commonly seen in production environment and not advisable, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14568,7 +14768,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic leverages Sysmon, a powerful system monitoring and logging tool, to pinpoint instances of the 3CXDesktopApp.exe with a FileVersion of 18.12.x.Recently, 3CX has discovered a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1195.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002"], "nist": ["DE.CM"]} known_false_positives = False positives may be present based on file version, modify the analytic to only look for version between 18.12.407 and 18.12.416 as needed. providing_technologies = null @@ -14578,7 +14778,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic utilizes a known list of vulnerable Windows drivers to help defenders find potential persistence or privelege escalation via a vulnerable driver. This analytic uses Sysmon EventCode 6, driver loading. A known gap with this lookup is that it does not use the hash or known signer of the vulnerable driver therefore it is up to the defender to identify version and signing info and confirm it is a vulnerable driver. how_to_implement = Sysmon collects driver loads via EventID 6, however you may modify the query to utilize this lookup to identify potentially persistent drivers that are known to be vulnerable. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1543.003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.003"], "nist": ["DE.AE"]} known_false_positives = False positives will be present. Drill down into the driver further by version number and cross reference by signer. Review the reference material in the lookup. In addition, modify the query to look within specific paths, which will remove a lot of "normal" drivers. providing_technologies = null @@ -14588,7 +14788,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies instances of the WinDBG process spawning AutoIt3. This behavior may indicate malicious activity as AutoIt3 is often used by threat actors for scripting malicious automation. The search specifically looks for instances where the parent process name is 'windbg.exe' and the process name is 'autoit3.exe' or 'autoit*.exe'. During the triage process, it is recommended to review the file path for additional artifacts that may provide further insights into the event. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} known_false_positives = False positives will only be present if the WinDBG process legitimately spawns AutoIt3. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14600,7 +14800,7 @@ explanation = The following analytic is designed to detect anomalous behavior as Winlogon.exe is a critical Windows process responsible for managing user logon and logoff processes. Under normal circumstances, Winlogon.exe should not be connecting to public IP addresses. However, if it does, it may indicate that the process has been compromised as part of the BlackLotus Campaign or another malicious operation.\ This analytic monitors network connections made by Winlogon.exe and triggers an alert if it detects connections to public IP space. By identifying such anomalous behavior, security analysts can investigate further and respond swiftly to potential threats. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1542.003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1542.003"], "nist": ["DE.AE"]} known_false_positives = False positives will be present and filtering will be required. Legitimate IPs will be present and need to be filtered. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14610,7 +14810,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies a possible wmi token impersonation activities in a process or command. This technique was seen in Qakbot malware where it will execute a vbscript code contains wmi impersonation object to gain privilege escalation or as defense evasion. This Anomaly detection looks for wmiprvse.exe SourceImage having a duplicate handle or full granted access in a target process. how_to_implement = This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1047"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.AE"]} known_false_positives = administrator may execute impersonate wmi object script for auditing. Filter is needed. providing_technologies = null @@ -14620,7 +14820,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies suspicious process command line, where WMI is performing an event query looking for running processes or running services. This technique is commonly found where the adversary will identify services and system information on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1047"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.AE"]} known_false_positives = netowrk administrator or IT may execute this command for auditing processes and services. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14630,7 +14830,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic is to look for wmi commandlines to execute or create process. This technique was used by adversaries or threat actor to execute their malicious payload in local or remote host. This hunting query is a good pivot to start to look further which process trigger the wmi or what process it execute locally or remotely. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1047"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.AE"]} known_false_positives = Administrators may execute this command for testing or auditing. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14643,7 +14843,7 @@ The search will return the initial and final times the task was registered, alon Schtasks.exe is typically found in C:\Windows\system32 and C:\Windows\syswow64. The DLL 'taskschd.dll' is loaded when either schtasks.exe or TaskService is launched. If this DLL is found loaded by another process, it's possible that a scheduled task is being registered within the context of that process in memory.\ During triage, it's essential to identify the source of the scheduled task. Was it registered via schtasks.exe or TaskService? Review the job that was created and the command set to be executed. It's also recommended to capture and review any artifacts on disk, and identify any parallel processes within the same timeframe to locate the source. how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} known_false_positives = False positives are possible if legitimate applications are allowed to register tasks that call a shell to be spawned. Filter as needed based on command-line or processes that are used legitimately. providing_technologies = ["Microsoft Windows"] @@ -14656,7 +14856,7 @@ When this analytic is triggered, it provides information such as the first and l During the triage process, it is essential to identify the source of the scheduled task creation, whether it was initiated through schtasks.exe or TaskService. The analyst should review the task that was created, including the command to be executed. Additionally, any artifacts on disk related to the task should be captured and analyzed. It is also recommended to identify any parallel processes that occurred within the same timeframe to determine the source of the task creation.\ By conducting this triage process, security analysts can gain insights into potentially malicious or suspicious scheduled tasks, helping them identify the source and assess the impact of the task. This analytic is valuable for a Security Operations Center (SOC) as it can detect unauthorized or suspicious activity that could indicate an attacker's attempt to establish persistence or execute unauthorized commands on the system.\ how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} known_false_positives = False positives are possible if legitimate applications are allowed to register tasks in public paths. Filter as needed based on paths that are used legitimately. providing_technologies = ["Microsoft Windows"] @@ -14670,7 +14870,7 @@ To implement this analytic, Task Scheduler logs must be collected. This can be d False positives are expected with this analytic, so it is important to filter the results based on the paths or specific keywords of interest in the ActionName field to reduce noise.\ Identifying and analyzing scheduled tasks that have been executed is crucial for a Security Operations Center (SOC) as it helps detect potentially malicious or unauthorized activities on Windows systems. By capturing and investigating the associated events, analysts can uncover signs of persistence mechanisms, unauthorized code execution, or suspicious behaviors. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. how_to_implement = Task Scheduler logs are required to be collected. Enable logging with inputs.conf by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] and renderXml=false. Note, not translating it in XML may require a proper extraction of specific items in the Message. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.005"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005"], "nist": ["DE.AE"]} known_false_positives = False positives will be present. Filter based on ActionName paths or specify keywords of interest. providing_technologies = null @@ -14680,7 +14880,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies winhlp32.exe, found natively in `c:\windows\`, spawning a child process that loads a file out of appdata, programdata, or temp. Winhlp32.exe has a rocky past in that multiple vulnerabilities were found and added to MetaSploit. WinHlp32.exe is required to display 32-bit Help files that have the ".hlp" file name extension. This particular instance is related to a Remcos sample where dynwrapx.dll is added to the registry under inprocserver32, and later module loaded by winhlp32.exe to spawn wscript.exe and load a vbs or file from disk. During triage, review parallel processes to identify further suspicious behavior. Review module loads for unsuspecting unsigned modules. Capture any file modifications and analyze. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited as winhlp32.exe is typically not used with the latest flavors of Windows OS. However, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14690,7 +14890,7 @@ asset_type = endpoint confidence = medium explanation = The following analytic detects the execution of Windows shell processes initiated by WinRAR, specifically looking for instances where WinRAR spawns processes like "cmd.exe", "powershell.exe", "certutil.exe", "mshta.exe", or "bitsadmin.exe". This behavior is worth identifying for a Security Operations Center (SOC) because it is indicative of a spoofing attack exploit, such as the one associated with WinRAR CVE-2023-38831. Cybercriminals exploited this vulnerability to craft ZIP archives with spoofed extensions, hiding the launch of malicious scripts within an archive. When a victim opened the specially crafted archive, it executed the malware, leading to unauthorized access to their broker accounts and enabling the cybercriminals to perform illicit financial transactions and withdraw funds. If a true positive is found, it suggests that an attacker has successfully exploited the vulnerability to execute malicious scripts, leading to unauthorized access, financial loss, and potentially the delivery of additional malicious payloads. The impact of the attack could be severe, involving financial loss, unauthorized access to sensitive accounts, and the potential for further malicious activity such as data theft or ransomware attacks. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} known_false_positives = Be aware of potential false positives - legitimate uses of WinRAR and the listed processes in your environment may cause benign activities to be flagged. Upon triage, review the destination, user, parent process, and process name involved in the flagged activity. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14700,7 +14900,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies suspicious processes spawning from WinRM (wsmprovhost.exe). This analytic is related to potential exploitation of CVE-2021-31166. which is a kernel-mode device driver http.sys vulnerability. Current proof of concept code will blue-screen the operating system. However, http.sys used by many different Windows processes, including WinRM. In this case, identifying suspicious process create (child processes) from `wsmprovhost.exe` is what this analytic is identifying. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} known_false_positives = Unknown. Add new processes or filter as needed. It is possible system management software may spawn processes from `wsmprovhost.exe`. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14710,7 +14910,7 @@ asset_type = Endpoint confidence = medium explanation = The following detection identifies Microsoft Word spawning `cmd.exe`. Typically, this is not common behavior and not default with winword.exe. Winword.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). Cmd.exe spawning from winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line will indicate what is being executed. During triage, review parallel processes and identify any files that may have been written. It is possible that COM is utilized to trampoline the child process to `explorer.exe` or `wmiprvse.exe`. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited, but if any are present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14720,7 +14920,7 @@ asset_type = Endpoint confidence = medium explanation = The following detection identifies Microsoft Word spawning PowerShell. Typically, this is not common behavior and not default with winword.exe. Winword.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). PowerShell spawning from winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited, but if any are present, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14730,7 +14930,7 @@ asset_type = Endpoint confidence = medium explanation = The following detection identifies Microsoft Winword.exe spawning Windows Script Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior and not default with Winword.exe. Winword.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). `cscript.exe` or `wscript.exe` default location is `c:\windows\system32\` or c:windows\syswow64\`. `cscript.exe` or `wscript.exe` spawning from Winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line executed will most likely be obfuscated and captured via another detection. During triage, review parallel processes and identify any files that may have been written. Review the reputation of the remote destination and block accordingly. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} known_false_positives = There will be limited false positives and it will be different for every environment. Tune by child process or command-line as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14740,7 +14940,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI), which is used by attackers to achieve persistence in a compromised system. By creating a permanent event subscription, an attacker can run malicious scripts or binaries in response to specific system events that enables them to maintain access to the system undetected. The detection is made by using Sysmon Event ID 5 data to detect instances where the consumers of these events are not the expected "NTEventLogEventConsumer." The detection is important because it identifies unusual or unexpected subscription creation, which suggests that an attacker is attempting to achieve persistence within the environment and might be executing malicious scripts or binaries in response to specific system events. The impact of such an attack can be severe, potentially leading to data theft, ransomware, or other damaging outcomes. False positives might occur since False positives might occur since WMI event subscriptions can be used for legitimate purposes by system administrators. You must have a thorough understanding of WMI activity within the context of the monitored environment to effectively differentiate between legitimate and malicious activity.Next steps include investigating the associated scripts or binaries and identifying the source of the attack. how_to_implement = To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational]. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, administrators may use event subscriptions for legitimate purposes. providing_technologies = null @@ -14755,7 +14955,7 @@ All event subscriptions have three components \ 1. Binding - Registers a filter to a consumer. EventID = 21 \ Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription. how_to_implement = To successfully implement this search, you must be collecting Sysmon data using Sysmon version 6.1 or greater and have Sysmon configured to generate alerts for WMI activity (eventID= 19, 20, 21). In addition, you must have at least version 6.0.4 of the Sysmon TA installed to properly parse the fields. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.003", "T1546"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.003", "T1546"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, administrators may use event subscriptions for legitimate purposes. providing_technologies = null @@ -14765,7 +14965,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies suspicious PowerShell script execution via EventCode 4104, where WMI is performing an event query looking for running processes or running services. This technique is commonly found in malware and APT events where the adversary will map all running security applications or services on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1592"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "nist": ["DE.AE"]} known_false_positives = Network administrator may used this command for checking purposes providing_technologies = ["Microsoft Windows"] @@ -14775,7 +14975,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects the creation of WMI temporary event subscriptions. WMI (Windows Management Instrumentation) is a management technology that allows administrators to perform various tasks on Windows-based systems. Temporary event subscriptions are created to monitor specific events or changes on a system that help to detect potential threats early and take proactive measures to protect the organization's systems and data. The detection is made by using the Splunk query `wmi` EventCode=5860 Temporary to search for events with EventCode 5860, which indicates the creation of a temporary WMI event subscription. To further refine the search results, the query uses regular expressions (rex) to extract the query used in the event subscription. Then, it filters known benign queries related to system processes such as 'wsmprovhost.exe' and 'AntiVirusProduct', 'FirewallProduct', 'AntiSpywareProduct', which helps to focus on potentially malicious or suspicious queries. The detection is important because it indicates malicious activity since attackers use WMI to run commands, gather information, or maintain persistence within a compromised system. False positives might occur since legitimate uses of WMI event subscriptions in the environment might trigger benign activities to be flagged. Therefore, an extensive triage is necessary to review the specific query and assess its intent. Additionally, capturing and inspecting relevant on-disk artifacts and analyzing concurrent processes can help to identify the source of the attack. Detecting the creation of these event subscriptions to identify potential threats early and take appropriate actions to mitigate the risks. how_to_implement = To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational]. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} known_false_positives = Some software may create WMI temporary event subscriptions for various purposes. The included search contains an exception for two of these that occur by default on Windows 10 systems. You may need to modify the search to create exceptions for other legitimate events. providing_technologies = null @@ -14787,7 +14987,7 @@ explanation = The following hunting analytic identifies the use of `wmic.exe` en Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ During triage, review parallel processes and identify any further suspicious behavior. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} known_false_positives = Administrators or power users may use this command for troubleshooting. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14797,7 +14997,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic indentifies WMIC command-line attempting to uninstall application non-interactively. This technique was seen in IcedID to uninstall AV products on the compromised host to evade detection. This Hunting query maybe a good indicator that some process tries to uninstall application using wmic which is not a common behavior. This approach may seen in some script or third part appication to uninstall their application but it is a good thing to check what it uninstall and why. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} known_false_positives = Third party application may use this approach to uninstall applications. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14807,7 +15007,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies `wmic.exe` loading a remote XSL (eXtensible Stylesheet Language) script. This originally was identified by Casey Smith, dubbed Squiblytwo, as an application control bypass. Many adversaries will utilize this technique to invoke JScript or VBScript within an XSL file. This technique can also execute local/remote scripts and, similar to its Regsvr32 "Squiblydoo" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in Windows Management Instrumentation provided they utilize the /FORMAT switch. Upon identifying a suspicious execution, review for confirmed network connnection and script download. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1220"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1220"], "nist": ["DE.CM"]} known_false_positives = False positives are limited as legitimate applications typically do not download files or xsl using WMIC. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14817,7 +15017,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies `wmiprsve.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing Windows Management Instrumentation (WMI), the executed command is spawned as a child process of `wmiprvse.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of wmiprvse.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} known_false_positives = Legitimate applications may trigger this behavior, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14827,7 +15027,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies a suspicious spawned process by WScript or CScript process. This technique was a common technique used by adversaries and malware to execute different LOLBIN, other scripts like PowerShell or spawn a suspended process to inject its code as a defense evasion. This TTP may detect some normal script that using several application tool that are in the list of the child process it detects but a good pivot and indicator that a script is may execute suspicious code. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1055", "T1543", "T1134.004", "T1134"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1055", "T1543", "T1134.004", "T1134"], "nist": ["DE.CM"]} known_false_positives = Administrators may create vbs or js script that use several tool as part of its execution. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14837,7 +15037,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies `Wsmprovhost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Windows Remote Management (WinRm) protocol, the executed command is spawned as a child processs of `Wsmprovhost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of Wsmprovhost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} known_false_positives = Legitimate applications may trigger this behavior, filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14847,7 +15047,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious modification of registry related to UAC bypass. This technique is to modify the registry in this detection, create a registry value with the path of the payload and run WSreset.exe to bypass User account Control. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14857,7 +15057,7 @@ asset_type = Endpoint confidence = medium explanation = This analytic identifies XMRIG coinminer driver installation on the system. The XMRIG driver name by default is `WinRing0x64.sys`. This cpu miner is an open source project that is commonly abused by adversaries to infect and mine bitcoin. how_to_implement = To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited. providing_technologies = null @@ -14867,7 +15067,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect a suspicious wmic.exe process or renamed wmic process to execute malicious xsl file. This technique was seen in FIN7 to execute its malicous jscript using the .xsl as the loader with the help of wmic.exe process. This TTP is really a good indicator for you to hunt further for FIN7 or other attacker that known to used this technique. how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1220"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1220"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -14877,7 +15077,7 @@ asset_type = Infrastructure confidence = medium explanation = By enabling Dynamic ARP Inspection as a Layer 2 Security measure on the organization's network devices, we will be able to detect ARP Poisoning attacks in the Infrastructure. how_to_implement = This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and Dynamic ARP Inspection (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/security/configuration_guide/b_sec_1522e_2960x_cg/b_sec_1522e_2960x_cg_chapter_01111.html) and log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1200", "T1498", "T1557", "T1557.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Actions on Objectives", "Exploitation"], "mitre_attack": ["T1200", "T1498", "T1557", "T1557.002"], "nist": ["DE.CM"]} known_false_positives = This search might be prone to high false positives if DHCP Snooping or ARP inspection has been incorrectly configured, or if a device normally sends many ARP packets (unlikely). providing_technologies = null @@ -14895,7 +15095,7 @@ how_to_implement = Steps to deploy DGA detection model into Splunk App DSDL.\ Th * Upload `pretrained_dga_model_dsdl.pynb` into Jupyter lab notebooks folder using the upload option in Jupyter lab\ * Save the notebook using the save option in jupyter notebook.\ * Upload `pretrained_dga_model_dsdl.json` into `notebooks/data` folder. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1568.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1568.002"], "nist": ["DE.AE"]} known_false_positives = False positives may be present if domain name is similar to dga generated domains. providing_technologies = null @@ -14913,7 +15113,7 @@ how_to_implement = Steps to deploy detect DNS data exfiltration model into Splun * Upload detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.pynb into Jupyter lab notebooks folder using the upload option in Jupyter lab \ * Save the notebook using the save option in jupyter notebook. \ * Upload `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1048.003"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.AE"]} known_false_positives = False positives may be present if DNS data exfiltration request look very similar to benign DNS requests. providing_technologies = null @@ -14929,7 +15129,7 @@ This search produces fields (query, answer, isDynDNS) that are not yet supported 1. \ 1. **Label:** IsDynamicDNS, **Field:** isDynDNS\ Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} known_false_positives = Some users and applications may leverage Dynamic DNS to reach out to some domains on the Internet since dynamic DNS by itself is not malicious, however this activity must be verified. providing_technologies = null @@ -14939,7 +15139,7 @@ asset_type = Infrastructure confidence = medium explanation = By enabling IPv6 First Hop Security as a Layer 2 Security measure on the organization's network devices, we will be able to detect various attacks such as packet forging in the Infrastructure. how_to_implement = This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with one or more First Hop Security measures such as RA Guard, DHCP Guard and/or device tracking. See References for more information. The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1200", "T1498", "T1557", "T1557.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Actions on Objectives", "Exploitation"], "mitre_attack": ["T1200", "T1498", "T1557", "T1557.002"], "nist": ["DE.CM"]} known_false_positives = None currently known providing_technologies = null @@ -14949,7 +15149,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for outbound ICMP packets with a packet size larger than 1,000 bytes. Various threat actors have been known to use ICMP as a command and control channel for their attack infrastructure. Large ICMP packets from an endpoint to a remote host may be indicative of this activity. how_to_implement = In order to run this search effectively, we highly recommend that you leverage the Assets and Identity framework. It is important that you have a good understanding of how your network segments are designed and that you are able to distinguish internal from external address space. Add a category named `internal` to the CIDRs that host the company's assets in the `assets_by_cidr.csv` lookup file, which is located in `$SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/`. More information on updating this lookup can be found here: https://docs.splunk.com/Documentation/ES/5.0.0/Admin/Addassetandidentitydata. This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1095"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1095"], "nist": ["DE.CM"]} known_false_positives = ICMP packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. As such, it is possible that a large ICMP packet could be perfectly legitimate. If large ICMP packets are associated with Command And Control traffic, there will typically be a large number of these packets observed over time. If the search is providing a large number of false positives, you can modify the macro `detect_large_outbound_icmp_packets_filter` to adjust the byte threshold or add specific IP addresses to an allow list. providing_technologies = null @@ -14959,7 +15159,7 @@ asset_type = Endpoint confidence = medium explanation = Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space. how_to_implement = You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek data should also be getting ingested in JSON format and should be mapped to the Network Traffic datamodels that are in use for this search. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190", "T1059"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1059"], "nist": ["DE.AE"]} known_false_positives = Unknown at this moment. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. Please check those servers to verify if the activity is legitimate. providing_technologies = null @@ -14969,7 +15169,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for outbound SMB connections made by hosts within your network to the Internet. SMB traffic is used for Windows file-sharing activity. One of the techniques often used by attackers involves retrieving the credential hash using an SMB request made to a compromised server controlled by the threat actor. how_to_implement = In order to run this search effectively, we highly recommend that you leverage the Assets and Identity framework. It is important that you have good understanding of how your network segments are designed, and be able to distinguish internal from external address space. Add a category named `internal` to the CIDRs that host the companys assets in `assets_by_cidr.csv` lookup file, which is located in `$SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/`. More information on updating this lookup can be found here: https://docs.splunk.com/Documentation/ES/5.0.0/Admin/Addassetandidentitydata. This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1071.002", "T1071"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.002", "T1071"], "nist": ["DE.CM"]} known_false_positives = It is likely that the outbound Server Message Block (SMB) traffic is legitimate, if the company's internal networks are not well-defined in the Assets and Identity Framework. Categorize the internal CIDR blocks as `internal` in the lookup file to avoid creating notable events for traffic destined to those CIDR blocks. Any other network connection that is going out to the Internet should be investigated and blocked. Best practices suggest preventing external communications of all SMB versions and related protocols at the network boundary. providing_technologies = null @@ -14979,7 +15179,7 @@ asset_type = Infrastructure confidence = medium explanation = By enabling Port Security on a Cisco switch you can restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a workstation attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs. how_to_implement = This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with Port Security and Error Disable for this to work (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html) and log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1200", "T1498", "T1557", "T1557.002"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Actions on Objectives", "Exploitation"], "mitre_attack": ["T1200", "T1498", "T1557", "T1557.002"], "nist": ["DE.CM"]} known_false_positives = This search might be prone to high false positives if you have malfunctioning devices connected to your ethernet ports or if end users periodically connect physical devices to the network. providing_technologies = null @@ -14989,7 +15189,7 @@ asset_type = Infrastructure confidence = medium explanation = By enabling DHCP Snooping as a Layer 2 Security measure on the organization's network devices, we will be able to detect unauthorized DHCP servers handing out DHCP leases to devices on the network (Man in the Middle attack). how_to_implement = This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping enabled (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1200", "T1498", "T1557"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Actions on Objectives", "Exploitation"], "mitre_attack": ["T1200", "T1498", "T1557"], "nist": ["DE.CM"]} known_false_positives = This search might be prone to high false positives if DHCP Snooping has been incorrectly configured or in the unlikely event that the DHCP server has been moved to another network interface. providing_technologies = null @@ -14999,7 +15199,7 @@ asset_type = Network confidence = medium explanation = This search looks for commands that the SNICat tool uses in the TLS SNI field. how_to_implement = You must be ingesting Zeek SSL data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when any of the predefined SNICat commands are found within the server_name (SNI) field. These commands are LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito. You can go further once this has been detected, and run other searches to decode the SNI data to prove or disprove if any data exfiltration has taken place. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1041"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1041"], "nist": ["DE.CM"]} known_false_positives = Unknown providing_technologies = null @@ -15009,7 +15209,7 @@ asset_type = Infrastructure confidence = medium explanation = Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. how_to_implement = This search looks for Network Traffic events to TFTP, FTP or SSH/SCP ports from network devices. Make sure to tag any network devices as network, router or switch in order for this detection to work. If the TFTP traffic doesn't traverse a firewall nor packet inspection, these events will not be logged. This is typically an issue if the TFTP server is on the same subnet as the network device. There is also a chance of the network device loading software using a DHCP assigned IP address (netboot) which is not in the Asset inventory. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1542.005", "T1542"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1542.005", "T1542"], "nist": ["DE.CM"]} known_false_positives = This search will also report any legitimate attempts of software downloads to network devices as well as outbound SSH sessions from network devices. providing_technologies = null @@ -15028,7 +15228,7 @@ how_to_implement = Steps to deploy detect suspicious DNS TXT records model into * Upload detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` into Jupyter lab notebooks folder using the upload option in Jupyter lab.\ * Save the notebook using the save option in Jupyter notebook.\ * Upload `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1568.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1568.002"], "nist": ["DE.AE"]} known_false_positives = False positives may be present if DNS TXT record contents are similar to benign DNS TXT record contents. providing_technologies = null @@ -15038,7 +15238,7 @@ asset_type = Infrastructure confidence = medium explanation = Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. how_to_implement = This search uses a standard SPL query on logs from Cisco Network devices. The network devices must log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices and that the devices have been configured according to the documentation of the Cisco Networks Add-on. Also note that an attacker may disable logging from the device prior to enabling traffic mirroring. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1200", "T1020", "T1498", "T1020.001"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Actions on Objectives"], "mitre_attack": ["T1200", "T1020", "T1498", "T1020.001"], "nist": ["DE.CM"]} known_false_positives = This search will return false positives for any legitimate traffic captures by network administrators. providing_technologies = null @@ -15058,7 +15258,7 @@ asset_type = Endpoint confidence = medium explanation = Ensure that the following prerequisites are met: (i) Both Splunk Stream DNS and TCP data are ingested. (ii) The macros 'stream:dns' and 'stream:tcp' are replaced with the appropriate configurations that are specific to your Splunk environment. The following analytic detects SIGRed exploitation attempts. SIGRed is a critical wormable vulnerability found in Windows DNS servers, known as CVE-2020-1350, which allows remote code execution. The detection is made by using an experimental search that focuses on identifying specific indicators that might suggest the presence of the SIGRed exploit such as DNS SIG records, KEY records, and TCP payloads greater than 65KB. This detection is important because it detects and responds to potential SIGRed exploitation attempts and minimizes the risk of a successful attack and its impact on the organization's infrastructure and data. False positives might occur due to the experimental nature of this analytic. Next steps include reviewing and investigating each case thoroughly given the potential for unauthorized Windows DNS server access, data breaches, and service disruptions. Additionally, you must stay updated with Microsoft's guidance on the SIGRed vulnerability. how_to_implement = You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with configurations for your Splunk environment. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1203"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1203"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -15068,7 +15268,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. SIGRed vulnerability allows attackers to run remote code on Windows DNS servers. By detecting SIGRed early, you can prevent further damage and protect the organization's network infrastructure. The detection is made by identifying specific DNS query types (SIG and KEY) in the Zeek DNS data and checks for high data transfer in the Zeek Conn data. If multiple instances of these indicators are found within a flow, it suggests the presence of SIGRed. The detection is important because it indicates a potential compromise of Windows DNS servers that suggests that an attacker might have gained unauthorized access to the DNS server and can run arbitrary code. The impact of this attack can be severe, leading to data exfiltration, unauthorized access, or disruption of critical services. Next steps include investigating the affected flow and taking immediate action to mitigate the vulnerability. This can involve patching the affected DNS server, isolating the server from the network, or conducting a forensic analysis to determine the extent of the compromise. how_to_implement = You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting SIG and KEY records via bro:dns:json and TCP payload over 65KB in size via bro:conn:json. The Network Resolution and Network Traffic datamodels are in use for this search. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1203"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1203"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -15078,7 +15278,7 @@ asset_type = Network confidence = medium explanation = The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability through Zeek RPC. By detecting attempts to exploit the Zerologon vulnerability through Zeek RPC, SOC analysts can identify potential threats earlier and take appropriate action to mitigate the risks. This detection is made by a Splunk query that looks for specific Zeek RPC operations, including NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3, which are aggregated by source and destination IP address and time. This detection is important because it suggests that an attacker is attempting to exploit the Zerologon vulnerability to gain unauthorized access to the domain controller. Zerologon vulnerability is a critical vulnerability that allows attackers to take over domain controllers without authentication, leading to a complete takeover of an organization's IT infrastructure. The impact of such an attack can be severe, potentially leading to data theft, ransomware, or other devastating outcomes. False positives might occur since legitimate Zeek RPC activity can trigger the analytic. Next steps include reviewing the identified source and destination IP addresses and the specific RPC operations used. Capture and inspect any relevant on-disk artifacts, and review concurrent processes to identify the attack source upon triage . how_to_implement = You must be ingesting Zeek DCE-RPC data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when all three RPC operations (NetrServerReqChallenge, NetrServerAuthenticate3, NetrServerPasswordSet2) are splunk_security_essentials_app via bro:rpc:json. These three operations are then correlated on the Zeek UID field. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -15094,7 +15294,7 @@ This search produces fields (`query`,`query_length`,`count`) that are not yet su 1. \ 1. **Label:** Number of events, **Field:** count\ Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1071.004", "T1071"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004", "T1071"], "nist": ["DE.AE"]} known_false_positives = If you are seeing more results than desired, you may consider reducing the value for threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data. providing_technologies = null @@ -15104,7 +15304,7 @@ asset_type = Endpoint confidence = medium explanation = This search allows you to identify DNS requests and compute the standard deviation on the length of the names being resolved, then filter on two times the standard deviation to show you those queries that are unusually large for your environment. how_to_implement = To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.AE"]} known_false_positives = It's possible there can be long domain names that are legitimate. providing_technologies = null @@ -15114,7 +15314,7 @@ asset_type = Endpoint confidence = medium explanation = This search identifies DNS query failures by counting the number of DNS responses that do not indicate success, and trigger on more than 50 occurrences. how_to_implement = To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1071.004", "T1071"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004", "T1071"], "nist": ["DE.AE"]} known_false_positives = It is possible legitimate traffic can trigger this rule. Please investigate as appropriate. The threshold for generating an event can also be customized to better suit your environment. providing_technologies = null @@ -15124,7 +15324,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic identifies a recent unauthenticated remote code execution vulnerablity against the F5 BIG-IP iControl REST API. The analytic identifies the URI path found in the POCs and the HTTP Method of POST. In addition, the request header will have the commands that may be executed in fields utilcmdargs and the auth field of X-F5-Auth-Token, which may have a random base64 encoded value. how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed. providing_technologies = null @@ -15134,7 +15334,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for an increase of data transfers from your email server to your clients. This could be indicative of a malicious actor collecting data using your email server. how_to_implement = This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as "email_server" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The "deviation_threshold" field is a multiplying factor to control how much variation you're willing to tolerate. The "minimum_data_samples" field is the minimum number of connections of data samples required for the statistic to be valid. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1114.002", "T1114"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002", "T1114"], "nist": ["DE.AE"]} known_false_positives = The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers. providing_technologies = null @@ -15144,7 +15344,7 @@ asset_type = DNS Servers confidence = medium explanation = The search is used to identify attempts to use your DNS Infrastructure for DDoS purposes via a DNS amplification attack leveraging ANY queries. how_to_implement = To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1498", "T1498.002"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1498", "T1498.002"], "nist": ["DE.AE"]} known_false_positives = Legitimate ANY requests may trigger this search, however it is unusual to see a large volume of them under typical circumstances. You may modify the threshold in the search to better suit your environment. providing_technologies = null @@ -15154,7 +15354,7 @@ asset_type = Endpoint confidence = medium explanation = This search is designed to detect high frequency of archive files data exfiltration through HTTP POST method protocol. This are one of the common techniques used by APT or trojan spy after doing the data collection like screenshot, recording, sensitive data to the infected machines. The attacker may execute archiving command to the collected data, save it a temp folder with a hidden attribute then send it to its C2 through HTTP POST. Sometimes adversaries will rename the archive files or encode/encrypt to cover their tracks. This detection can detect a renamed archive files transfer to HTTP POST since it checks the request body header. Unfortunately this detection cannot support archive that was encrypted or encoded before doing the exfiltration. how_to_implement = To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled in stream http configuration. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.CM"]} known_false_positives = Normal archive transfer via HTTP protocol may trip this detection. providing_technologies = null @@ -15164,7 +15364,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the 4 most common Ngrok used domains based on DNS queries under the Network Resolution datamodel. It's possible these domains may be ran against the Web datamodel or ran with a direct query across network/proxy traffic. The sign of someone using Ngrok is not malicious, however, more recenctly it has become an adversary tool. how_to_implement = The Network Resolution Datamodel will need to have data mapped to it regarding DNS queries. Modify query as needed to use another source. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"]} known_false_positives = False positives will be present based on organizations that allow the use of Ngrok. Filter or monitor as needed. providing_technologies = null @@ -15174,7 +15374,7 @@ asset_type = Endpoint confidence = medium explanation = This search is to detect potential plain HTTP POST method data exfiltration. This network traffic is commonly used by trickbot, trojanspy, keylogger or APT adversary where arguments or commands are sent in plain text to the remote C2 server using HTTP POST method as part of data exfiltration. how_to_implement = To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -15184,7 +15384,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for network traffic defined by port and transport layer protocol in the Enterprise Security lookup table "lookup_interesting_ports", that is marked as prohibited, and has an associated 'allow' action in the Network_Traffic data model. This could be indicative of a misconfigured network device. how_to_implement = In order to properly run this search, Splunk needs to ingest data from firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model be populated. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1048"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048"], "nist": ["DE.CM"]} known_false_positives = None identified providing_technologies = null @@ -15194,7 +15394,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for network traffic on common ports where a higher layer protocol does not match the port that is being used. For example, this search should identify cases where protocols other than HTTP are running on TCP port 80. This can be used by attackers to circumvent firewall restrictions, or as an attempt to hide malicious communications over ports and protocols that are typically allowed and not well inspected. how_to_implement = Running this search properly requires a technology that can inspect network traffic and identify common protocols. Technologies such as Bro and Palo Alto Networks firewalls are two examples that will identify protocols via inspection, and not just assume a specific protocol based on the transport protocol and ports. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.AE"]} known_false_positives = None identified providing_technologies = null @@ -15214,7 +15414,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for RDP application network traffic and filters any source/destination pair generating more than twice the standard deviation of the average traffic. how_to_implement = You must ensure that your network traffic data is populating the Network_Traffic data model. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} known_false_positives = RDP gateways may have unusually high amounts of traffic from all other hosts' RDP applications in the network. providing_technologies = null @@ -15224,7 +15424,7 @@ asset_type = Endpoint confidence = medium explanation = This search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop traffic is not uncommon on a network, it is usually associated with known hosts. This search will ignore common RDP sources and common RDP destinations so you can focus on the uncommon uses of remote desktop on your network. how_to_implement = To successfully implement this search you need to identify systems that commonly originate remote desktop traffic and that commonly receive remote desktop traffic. You can use the included support search "Identify Systems Creating Remote Desktop Traffic" to identify systems that originate the traffic and the search "Identify Systems Receiving Remote Desktop Traffic" to identify systems that receive a lot of remote desktop traffic. After identifying these systems, you will need to add the "common_rdp_source" or "common_rdp_destination" category to that system depending on the usage, using the Enterprise Security Assets and Identities framework. This can be done by adding an entry in the assets.csv file located in SA-IdentityManagement/lookups. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"]} known_false_positives = Remote Desktop may be used legitimately by users on the network. providing_technologies = null @@ -15234,7 +15434,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic detects spikes in the number of Server Message Block (SMB) traffic connections. SMB is a network protocol used for sharing files, printers, and other resources between computers. This detection is made by a Splunk query that looks for SMB traffic connections on ports 139 and 445, as well as connections using the SMB application. The query calculates the average and standard deviation of the number of SMB connections over the past 70 minutes, and identifies any sources that exceed two standard deviations from the average. This helps to filter out false positives caused by normal fluctuations in SMB traffic. This detection is important because it identifies potential SMB-based attacks, such as ransomware or data theft, which often involve a large number of SMB connections. This suggests that an attacker is attempting to exfiltrate data or spread malware within the network. Next steps include investigating the source of the traffic and determining if it is malicious. This can involve reviewing network logs, capturing and analyzing any relevant network packets, and correlating with other security events to identify the attack source and mitigate the risk. how_to_implement = This search requires you to be ingesting your network traffic logs and populating the `Network_Traffic` data model. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1021.002", "T1021"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.002", "T1021"], "nist": ["DE.AE"]} known_false_positives = A file server may experience high-demand loads that could cause this analytic to trigger. providing_technologies = null @@ -15247,7 +15447,7 @@ how_to_implement = To successfully implement this search, you will need to ensur This search produces a field (Number of events,count) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. This field contributes additional context to the notable. To see the additional metadata, add the following field, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \ 1. **Label:** Number of events, **Field:** count\ Detailed documentation on how to create a new field within Incident Review is found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1021.002", "T1021"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.002", "T1021"], "nist": ["DE.AE"]} known_false_positives = If you are seeing more results than desired, you may consider reducing the value of the threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data. Please update the `smb_traffic_spike_mltk_filter` macro to filter out false positive results providing_technologies = null @@ -15257,7 +15457,7 @@ asset_type = Proxy confidence = medium explanation = The following analytic uses tags of SSL, TLS and certificate to identify the usage of the Splunk default certificates being utilized in the environment. Recommended guidance is to utilize valid TLS certificates which documentation may be found in Splunk Docs - https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/AboutsecuringyourSplunkconfigurationwithSSL. how_to_implement = Ingestion of SSL/TLS data is needed and to be tagged properly as ssl, tls or certificate. This data may come from a proxy, zeek, or Splunk Streams. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1040"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1040"], "nist": ["DE.AE"]} known_false_positives = False positives will not be present as it is meant to assist with identifying default certificates being utilized. providing_technologies = null @@ -15267,7 +15467,7 @@ asset_type = Network confidence = medium explanation = The following analytic utilizes the Certificates Datamodel to look for punycode domains, starting with xn--, found in the SSL issuer email domain. The presence of punycode here does not equate to evil, therefore we need to decode the punycode to determine what it translates to. Remove the CyberChef recipe as needed and decode manually. Note that this is not the exact location of the malicious punycode to trip CVE-2022-3602, but a method to at least identify fuzzing occurring on these email paths. What does evil look like? it will start with how_to_implement = Ensure data is properly being ingested into the Certificates datamodel. If decoding the of interest, the CyberChef app is needed https://splunkbase.splunk.com/app/5348. If decoding is not needed, remove the cyberchef lines. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1573"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1573"], "nist": ["DE.AE"]} known_false_positives = False positives may be present if the organization works with international businesses. Filter as needed. providing_technologies = null @@ -15277,7 +15477,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic looks for allowed network traffic to The Onion Router(TOR), a benign anonymity network which can be abused for a variety of nefarious purposes. Detecting Tor traffic is paramount for upholding network security and mitigating potential threats. Tor's capacity to provide users with anonymity has been exploited by cybercriminals for activities like hacking, data breaches, and illicit content dissemination. Additionally, organizations must monitor Tor usage within their networks to ensure compliance with policies and regulations, as it can bypass conventional monitoring and filtering measures. Lastly, the ability to identify Tor traffic empowers security teams to promptly investigate and address potential security incidents, fortifying the protection of sensitive data and preserving the integrity of the network environment. how_to_implement = In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model to be populated. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1090", "T1090.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1090", "T1090.003"], "nist": ["DE.CM"]} known_false_positives = None at this time providing_technologies = null @@ -15297,7 +15497,7 @@ asset_type = endpoint confidence = medium explanation = This search looks for evidence of Active Directory replication traffic [MS-DRSR] from unexpected sources. This traffic is often seen exclusively between Domain Controllers for AD database replication. Any detections from non-domain controller source to a domain controller may indicate the usage of DCSync or DCShadow credential dumping techniques. how_to_implement = To successfully implement this search, you need to be ingesting application aware firewall or proxy logs into the Network Datamodel. Categorize all known domain controller Assets servers with an appropriate category for filtering. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1003", "T1003.006", "T1207"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003", "T1003.006", "T1207"], "nist": ["DE.CM"]} known_false_positives = New domain controllers or certian scripts run by administrators. providing_technologies = null @@ -15307,7 +15507,7 @@ asset_type = Endpoint confidence = medium explanation = This detection is looking at zeek wiredata for specific replication RPC calls being performed from a device which is not a domain controller. If you would like to capture these RPC calls using Splunk Stream, please vote for my idea here https://ideas.splunk.com/ideas/APPSID-I-619 ;) how_to_implement = Run zeek on domain controllers to capture the DCE RPC calls, ensure the domain controller categories are defined in Assets and Identities. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} known_false_positives = None. providing_technologies = null @@ -15317,7 +15517,7 @@ asset_type = Network confidence = medium explanation = The following analytic utilizes the Zeek x509 log. Modify the zeek_x509 macro with your index and sourcetype as needed. You will need to ensure the full x509 is logged as the potentially malicious punycode is nested under subject alternative names. In this particular analytic, it will identify punycode within the subject alternative name email and other fields. Note, that OtherFields is meant to be BOOL (true,false), therefore we may never see xn-- in that field. Upon identifying punycode, manually copy and paste, or add CyberChef recipe to query, and decode the punycode manually. how_to_implement = The following analytic requires x509 certificate data to be logged entirely. In particular, for CVE-2022-3602, the punycode will be within the leaf certificate. The analytic may be modified to look for all xn--, or utilize a network IDS/monitoring tool like Zeek or Suricata to drill down into cert captured. Note for Suricata, the certificate is base64 encoded and will need to be decoded to capture the punycode (punycode will need to be decoded after). -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1573"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1573"], "nist": ["DE.AE"]} known_false_positives = False positives may be present if the organization works with international businesses. Filter as needed. providing_technologies = null @@ -15327,7 +15527,7 @@ asset_type = VPN Appliance confidence = medium explanation = This analytic monitors access to the /api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark endpoint, a key indicator for both CVE-2023-46805 and CVE-2024-21887 vulnerabilities. It detects potential vulnerabilities by looking for a 403 Forbidden response with an empty body on this endpoint. This detection method is used in both Nmap script and Project Discovery Nuclei, with the latter focusing on systems where XML mitigation for these vulnerabilities has not been applied. how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} known_false_positives = This analytic is limited to HTTP Status 403; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. providing_technologies = null @@ -15337,7 +15537,7 @@ asset_type = Network confidence = medium explanation = The following analytic detects potential exploitation attempts against Adobe ColdFusion vulnerabilities CVE-2023-29298 and CVE-2023-26360. These vulnerabilities pertain to an access control bypass and an arbitrary file read due to deserialization, respectively. By monitoring for requests to specific ColdFusion Administrator endpoints, especially those with an unexpected additional forward slash, the analytic identifies attempts to bypass access controls. Such behavior is crucial for a Security Operations Center (SOC) to identify, as exploitation can grant unauthorized access to ColdFusion administration endpoints, potentially leading to information leakage, brute force attacks, or further exploitation of other vulnerabilities. If a true positive is detected, it indicates a serious security breach where an attacker might have gained privileged access to the ColdFusion environment, potentially leading to data theft or other malicious activities. SOCs must be vigilant in monitoring for these patterns, ensuring timely detection and response to such threats, thus safeguarding the integrity and security of their ColdFusion deployments. how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} known_false_positives = This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. providing_technologies = null @@ -15349,7 +15549,7 @@ explanation = The following analytic detects potential exploitation of the criti Our analytic pinpoints exploitation by monitoring web requests to the "/cf_scripts/scripts/ajax/ckeditor/*" path. This focus helps differentiate malicious activity from standard ColdFusion traffic. For SOCs, detecting such attempts is vital given the vulnerability's CVSS score of 9.8, signaling its severity. Successful exploitation can lead to unauthorized data access, further attacks, or severe operational disruptions. \ If a true positive arises, it indicates an active breach attempt, potentially causing data theft, operational disruption, or reputational damage. In essence, this analytic provides a targeted approach to identify attempts exploiting a high-risk ColdFusion vulnerability. While false positives may occur from legitimate accesses, any alerts should be treated as high-priority, warranting immediate investigation to ensure security. how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} known_false_positives = In the wild, we have observed three different types of attempts that could potentially trigger false positives if the HTTP status code is not in the query. Please check this github gist for the specific URIs : https://gist.github.com/patel-bhavin/d10830f3f375a2397233f6a4fe38d5c9 . These could be legitimate requests depending on the context of your organization. Therefore, it is recommended to modify the analytic as needed to suit your specific environment. providing_technologies = null @@ -15359,7 +15559,7 @@ asset_type = Network confidence = medium explanation = The following analytic identifies potential exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198). Successful exploitation allows an attacker to create an account on the affected device with privilege level 15 access, granting them full control of the compromised device. The detection is based on the observation of suspicious account creation and subsequent actions, including the deployment of an implant consisting of a configuration file. The implant is saved under the file path //usr//binos//conf//nginx-conf//cisco_service.conf and is not persistent, meaning a device reboot will remove it, but the newly created local user accounts remain active even after system reboots. The new user accounts have level 15 privileges, meaning they have full administrator access to the device. This privileged access to the devices and subsequent creation of new users is tracked as CVE-2023-20198. how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} known_false_positives = False positives may be present, restrict to Cisco IOS XE devices or perimeter appliances. Modify the analytic as needed based on hunting for successful exploitation of CVE-2023-20198. providing_technologies = null @@ -15372,7 +15572,7 @@ This behavior is essential for a Security Operations Center (SOC) to identify be If a true positive is confirmed, it implies that an attacker is actively exploiting the vulnerability within the organization's environment. This could lead to severe consequences, including unauthorized data access, further propagation within the network, and potential disruptions or exfiltration of critical information. \ Upon flagging such activity, it's crucial for analysts to swiftly validate the alert, assess the nature and extent of the exposure, and implement necessary measures to mitigate the threat. Reviewing the details such as user agent, source, and destination IP can help in understanding the context and intent of the attack. While it's imperative to patch vulnerable systems to prevent this exploitation, early detection through this analytic provides a valuable layer of defense, enabling timely response to thwart potential breaches. how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. We recommend hunting in the environment first to understand the scope of the issue and then deploying this detection to monitor for future exploitation attempts. Limit or restrict to Citrix devices only if possible. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} known_false_positives = False positives may be present based on organization use of Citrix ADC and Gateway. Filter, or restrict the analytic to Citrix devices only. providing_technologies = null @@ -15385,7 +15585,7 @@ Given the specific nature of the vulnerability, upon deploying this analytic it The search query provided examines web data for POST requests made to specific URLs associated with the exploitation of this vulnerability. It aggregates and presents data to highlight potential exploitation attempts, taking into account elements like user agent, HTTP method, URL length, source, and destination. \ Please be aware that this analytic is based on current understanding of the vulnerability, and adjustments may be required as more information becomes available. how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} known_false_positives = False positives may be present based on organization use of SAML utilities. Filter, or restrict the analytic to Citrix devices only. providing_technologies = null @@ -15398,7 +15598,7 @@ This behavior is significant for a Security Operations Center (SOC) to identify, The impact of this behavior, if a true positive, can be quite significant. An attacker could compromise the Documentum application, manipulate or steal sensitive content, and potentially gain unauthorized access to other system resources. An intrusion of this nature could disrupt business operations, result in data breaches, and even damage the organization's reputation. \ However, it's important to note that false positives may occur. For example, legitimate but uncommon file uploads might match these URL patterns. It's crucial to verify any alerts generated by this analytic to ensure accurate threat detection. This analytic provides critical insights into potential attack attempts and assists in maintaining the integrity and security of enterprise content management systems like Documentum. how_to_implement = Dependent upon the placement of the ShareFile application, ensure the latest Technology Add-On is eneabled. This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. The ShareFile application is IIS based, therefore ingesting IIS logs and reviewing for the same pattern would identify this activity, successful or not. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} known_false_positives = False positives may be present, filtering may be needed. Also, restricting to known web servers running IIS or ShareFile will change this from Hunting to TTP. providing_technologies = null @@ -15408,7 +15608,7 @@ asset_type = Web server confidence = medium explanation = The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false* and /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0& URLs. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise. how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. Tested with Suricata and nginx:plus:kv. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} known_false_positives = False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to Confluence servers. providing_technologies = null @@ -15418,7 +15618,7 @@ asset_type = Web server confidence = medium explanation = The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /setup/*.action* URL pattern. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise. how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} known_false_positives = False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to confluence servers. providing_technologies = null @@ -15428,7 +15628,7 @@ asset_type = Web Application confidence = medium explanation = This analytic identifies a critical template injection vulnerability (CVE-2023-22527) in outdated versions of Confluence Data Center and Server, which allows an unauthenticated attacker to execute arbitrary code remotely. The vulnerability is exploited by injecting OGNL (Object-Graph Navigation Language) expressions into the application, as evidenced by POST requests to the "/template/aui/text-inline.vm" endpoint with specific content types and payloads. The search looks for POST requests with HTTP status codes 200 or 202, which may indicate successful exploitation attempts. Immediate patching to the latest version of Confluence is strongly recommended, as there are no known workarounds. This detection is crucial for identifying and responding to potential RCE attacks, ensuring that affected Confluence instances are secured against this critical threat. how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} known_false_positives = False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to confluence servers. providing_technologies = null @@ -15438,7 +15638,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic assists with identifying CVE-2022-26134 based exploitation utilizing the Web datamodel to cover network and CIM compliant web logs. The parameters were captured from live scanning and the POC provided by Rapid7. This analytic is written against multiple proof of concept codes released and seen in the wild (scanning). During triage, review any endpoint based logs for further activity including writing a jsp file to disk and commands/processes spawning running as root from the Confluence process. how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. In addition, network based logs or event data like PAN Threat. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1505", "T1190", "T1133"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = Tune based on assets if possible, or restrict to known Confluence servers. Remove the ${ for a more broad query. To identify more exec, remove everything up to the last parameter (Runtime().exec) for a broad query. providing_technologies = null @@ -15448,7 +15648,7 @@ asset_type = Web Server confidence = medium explanation = This search looks for specific GET or HEAD requests to web servers that are indicative of reconnaissance attempts to identify vulnerable JBoss servers. JexBoss is described as the exploit tool of choice for this malicious activity. how_to_implement = You must be ingesting data from the web server or network traffic that contains web specific information, and populating the Web data model. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1082", "T1133"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1082", "T1133"], "nist": ["DE.CM"]} known_false_positives = It's possible for legitimate HTTP requests to be made to URLs containing the suspicious paths. providing_technologies = null @@ -15458,7 +15658,7 @@ asset_type = Network confidence = medium explanation = This search detects remote code exploit attempts on F5 BIG-IP, BIG-IQ, and Traffix SDC devices how_to_implement = To consistently detect exploit attempts on F5 devices using the vulnerabilities contained within CVE-2020-5902 it is recommended to ingest logs via syslog. As many BIG-IP devices will have SSL enabled on their management interfaces, detections via wire data may not pick anything up unless you are decrypting SSL traffic in order to inspect it. I am using a regex string from a Cloudflare mitigation technique to try and always catch the offending string (..;), along with the other exploit of using (hsqldb;). -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} known_false_positives = unknown providing_technologies = null @@ -15478,7 +15678,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic identifies activity related to Text4Shell, or the critical vulnerability CVE-2022-42889 in Apache Commons Text Library. Apache Commons Text versions 1.5 through 1.9 are affected, but it has been patched in version 1.10. The analytic may need to be tuned for your environment before enabling as a TTP, or direct Notable. Apache Commons Text is a Java library described as a library focused on algorithms working on strings. We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the script, dns, and url lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups. how_to_implement = To implement, one must be collecting network traffic that is normalized in CIM and able to be queried via the Web datamodel. Or, take the chunks out needed and tie to a specific network source type to hunt in. Tune as needed, or remove the other_lookups statement. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.AE"]} known_false_positives = False positives are present when the values are set to 1 for utf and lookup. It's possible to raise this to TTP (direct notable) if removal of other_lookups occur and Score is raised to 2 (down from 4). providing_technologies = null @@ -15488,7 +15688,7 @@ asset_type = Network confidence = medium explanation = The following analytic identifies a recent CVE-2022-39952 released publicly where the URI configWizard/keyUpload.jsp recieves a POST with the payload.zip, from there the POC script will schedule a cron to run the payload and contact the remote C2. how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = False positives may be present. Modify the query as needed to POST, or add additional filtering (based on log source). providing_technologies = null @@ -15512,7 +15712,7 @@ Update networking configurations to reroute traffic. \ Download the system configuration. \ Initiate packet captures to capture other sensitive system information. Reference Horizon3.ai how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache. Splunk for Nginx, or Splunk for Palo Alto. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = GET requests will be noisy and need to be filtered out or removed from the query based on volume. Restrict analytic to known publically facing Fortigates, or run analytic as a Hunt until properly tuned. It is also possible the user agent may be filtered on Report Runner or Node.js only for the exploit, however, it is unknown at this if other user agents may be used. providing_technologies = null @@ -15532,7 +15732,7 @@ lookup matching is meant to catch some basic obfuscation that has been identifie Scoring will then occur based on any findings. The base score is meant to be 2 , created by jndi_fastmatch. Everything else is meant to increase that score. \ Finally, a simple table is created to show the scoring and the _raw field. Sort based on score or columns of interest. how_to_implement = Out of the box, the Web datamodel is required to be pre-filled. However, tested was performed against raw httpd access logs. Change the first line to any dataset to pass the regex's against. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} known_false_positives = It is highly possible you will find false positives, however, the base score is set to 2 for _any_ jndi found in raw logs. tune and change as needed, include any filtering. providing_technologies = null @@ -15542,17 +15742,27 @@ asset_type = VPN Appliance confidence = medium explanation = This analytic is designed to identify the exploit phase of the CVE-2023-46805 and CVE-2024-21887 vulnerabilities. During this phase, a POST request is made to the /api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection URI. This request exploits the command injection vulnerability to execute arbitrary commands. A successful request, indicated by a 200 OK response, suggests that the system is vulnerable. how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} known_false_positives = This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. providing_technologies = null +[savedsearch://ESCU - Ivanti Connect Secure SSRF in SAML Component - Rule] +type = detection +asset_type = VPN Appliance +confidence = medium +explanation = The following analytic is designed to identify POST request activities targeting specific endpoints known to be vulnerable to the SSRF issue (CVE-2024-21893) in Ivanti's products. It aggregates data from the Web data model, focusing on endpoints /dana-ws/saml20.ws, /dana-ws/saml.ws, /dana-ws/samlecp.ws, and /dana-na/auth/saml-logout.cgi. The query filters for POST requests that received a HTTP 200 OK response, indicating successful request execution. +how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +known_false_positives = This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the HTTP Status is removed, as most failed attempts result in a 301. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. +providing_technologies = null + [savedsearch://ESCU - Ivanti Connect Secure System Information Access via Auth Bypass - Rule] type = detection asset_type = VPN Appliance confidence = medium explanation = This analytic is designed to identify the "check phase" of the CVE-2023-46805 and CVE-2024-21887 vulnerabilities. During this phase, a GET request is made to the /api/v1/totp/user-backup-code/../../system/system-information URI. This request exploits the authentication bypass vulnerability to gain access to system information. A successful request, indicated by a 200 OK response, suggests that the system is vulnerable. how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} known_false_positives = This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. providing_technologies = null @@ -15562,7 +15772,7 @@ asset_type = Web Server confidence = medium explanation = The given analytic is designed to detect the exploitation of CVE-2023-35078, a vulnerability in Ivanti Endpoint Manager Mobile (EPMM) affecting versions up to 11.4. Specifically, the query searches web logs for HTTP requests to the potentially vulnerable endpoint "/mifs/aad/api/v2/authorized/users?*" with a successful status code of 200. This analytic is instrumental in detecting unauthorized remote access to restricted functionalities or resources within the application, a behavior worth identifying for a Security Operations Center (SOC). By monitoring specific patterns and successful access indicators, it reveals an active attempt to exploit the vulnerability, potentially leading to data theft, unauthorized modifications, or further system compromise. If successfully executed, the impact can be severe, necessitating immediate action. how_to_implement = To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = The Proof of Concept exploit script indicates that status=200 is required for successful exploitation of the vulnerability. False positives may be present if status=200 is removed from the search. If it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. Analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability. providing_technologies = null @@ -15572,7 +15782,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic detects potential unauthorized access attempts exploiting CVE-2023-35082 within Ivantis software products. Initially assessed to affect only MobileIron Core versions up to 11.2, further insights revealed its influence extending to Ivanti Endpoint Manager Mobile (EPMM) versions 11.10, 11.9, 11.8, and MobileIron Core 11.7 and below. The vulnerability facilitates unauthorized API access via the specific URI path /mifs/asfV3/api/v2/. The analytic identifies this behavior by monitoring web access logs for this URI pattern coupled with a HTTP 200 response code, signifying successful unauthorized access. \ Such behavior is imperative for a Security Operations Center (SOC) to recognize, as it highlights potential security breaches which, if not addressed, could lead to unauthorized data access, system modifications, or further exploitation. In the event of a true positive, the implications are severe: an attacker might have gained unbridled access to sensitive organizational data or could modify systems maliciously. Be vigilant of potential false positives; benign activities might occasionally match the pattern. During triage, closely scrutinize the source of the access request and its subsequent actions. This analytic aids analysts in early threat detection, allowing for proactive risk mitigation. how_to_implement = To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = Similar to CVE-2023-35078, the path for exploitation indicates that status=200 is required for successful exploitation of the vulnerability. False positives may be present if status=200 is removed from the search. If it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts. Analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability. providing_technologies = null @@ -15582,7 +15792,7 @@ asset_type = Network confidence = medium explanation = This analytic is designed to detect unauthenticated access to the System Manager Portal in Ivanti Sentry, formerly known as MobileIron Sentry. The vulnerability, designated as CVE-2023-38035, affects all supported versions 9.18, 9.17, and 9.16, as well as older versions. The analytic works by monitoring for changes in the configuration of Sentry and the underlying operating system. Such changes could indicate an attacker attempting to execute OS commands as root. This behavior is of significant concern for a Security Operations Center (SOC) as it presents a substantial security risk, particularly if port 8443, the default port for the System Manager Portal, is exposed to the internet. If the analytic returns a true positive, it suggests that an attacker has gained unauthorized access to the Sentry system, potentially leading to a significant system compromise and data breach. It is important to note that while the issue has a high CVSS score, the risk of exploitation is low for customers who do not expose port 8443 to the internet. The search specifically looks for HTTP requests to certain endpoints ("/mics/services/configservice/*", "/mics/services/*","/mics/services/MICSLogService*") and HTTP status code of 200. Unusual or unexpected patterns in these parameters could indicate an attack. how_to_implement = To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} known_false_positives = It is important to note that false positives may occur if the search criteria are expanded beyond the HTTP status code 200. In other words, if the search includes other HTTP status codes, the likelihood of encountering false positives increases. This is due to the fact that HTTP status codes other than 200 may not necessarily indicate a successful exploitation attempt. providing_technologies = null @@ -15592,7 +15802,7 @@ asset_type = Web server confidence = medium explanation = The following analtyic identifies a Jenkins Arbitrary File Read CVE-2024-23897 exploitation. This attack allows an attacker to read arbitrary files on the Jenkins server. This can be used to obtain sensitive information such as credentials, private keys, and other sensitive information. how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. If unable to utilize the Web datamodel, modify query to your data source. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} known_false_positives = False positives should be limited as this detection is based on a specific URL path and HTTP status code. Adjust the search as necessary to fit the environment. providing_technologies = null @@ -15602,7 +15812,7 @@ asset_type = Web server confidence = medium explanation = The following analytic is designed to detect attempts to exploit the CVE-2023-42793 vulnerability in TeamCity On-Premises. It focuses on identifying suspicious POST requests to /app/rest/users/id:1/tokens/RPC2, which is the initial point of exploitation. This could indicate an unauthenticated attacker trying to gain administrative access through Remote Code Execution (RCE). how_to_implement = The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} known_false_positives = If TeamCity is not in use, this analytic will not return results. Monitor and tune for your environment. providing_technologies = null @@ -15612,7 +15822,7 @@ asset_type = Web server confidence = medium explanation = The following analytic detects the exploitation of a remote code execution vulnerability in Juniper Networks devices. The vulnerability involves multiple steps, including uploading a malicious PHP file and an INI file to the target server, and then executing the PHP code by manipulating the PHP configuration via the uploaded INI file. The analytic specifically looks for requests to /webauth_operation.php?PHPRC=*, which are used to upload the files and execute the code, respectively. This behavior is worth identifying for a SOC because it indicates that an attacker is attempting to exploit the vulnerability to gain unauthorized access to the device and execute arbitrary code. If a true positive is found, it suggests that an attacker has successfully exploited the vulnerability and may have gained control over the device, leading to data theft, network compromise, or other damaging outcomes. Upon triage, review the request parameters and the response to determine if the exploitation was successful. Capture and inspect any relevant network traffic and server logs to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. how_to_implement = To implement this search, ensure that the Web data model is populated. The search is activated when the Web data model is accelerated. Network products, such as Suricata or Palo Alto, need to be mapped to the Web data model. Adjust the mapping as necessary to suit your specific products. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190", "T1105", "T1059"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Command and Control", "Installation"], "mitre_attack": ["T1190", "T1105", "T1059"], "nist": ["DE.CM"]} known_false_positives = Be aware of potential false positives - legitimate uses of the /webauth_operation.php endpoint may cause benign activities to be flagged.The URL in the analytic is specific to a successful attempt to exploit the vulnerability. Review contents of the HTTP body to determine if the request is malicious. If the request is benign, add the URL to the whitelist or continue to monitor. providing_technologies = null @@ -15622,7 +15832,7 @@ asset_type = Endpoint confidence = medium explanation = CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited. how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} known_false_positives = If there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives. providing_technologies = null @@ -15632,7 +15842,7 @@ asset_type = Endpoint confidence = medium explanation = CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we match the invocation function with a network connection to a malicious ip address. how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. -annotations = {"cis20": ["CIS 10"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} known_false_positives = If there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives. providing_technologies = null @@ -15642,7 +15852,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic detects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357. This vulnerability pertains to an elevation of privilege due to improper handling of authentication tokens. By monitoring for suspicious activities related to SharePoint Server, the analytic identifies attempts to exploit this vulnerability. If a true positive is detected, it indicates a serious security breach where an attacker might have gained privileged access to the SharePoint environment, potentially leading to data theft or other malicious activities. how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Microsoft SharePoint. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} known_false_positives = False positives may occur if there are legitimate activities that mimic the exploitation pattern. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. providing_technologies = null @@ -15662,7 +15872,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic is designed to detect potential exploitation attempts on publicly accessible PaperCut NG servers. It identifies connections from public IP addresses to the server and specifically monitors for URI paths commonly found in proof-of-concept (POC) scripts for exploiting PaperCut NG vulnerabilities. These URI paths have been observed in both Metasploit modules and standalone scripts used for attacking PaperCut NG servers. When a public IP address is detected accessing one or more of these suspicious URI paths, an alert may be generated to notify the security team of the potential threat. The team can then investigate the source IP address, the targeted PaperCut NG server, and any other relevant information to determine the nature of the activity and take appropriate actions to mitigate the risk. how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = False positives may be present, filter as needed. providing_technologies = null @@ -15672,7 +15882,7 @@ asset_type = Web Server confidence = medium explanation = The following correlation will identify activity related to Windows Exchange being actively exploited by adversaries related to ProxyShell or ProxyNotShell. In addition, the analytic correlates post-exploitation Cobalt Strike analytic story. Common post-exploitation behavior has been seen in the wild includes adversaries running nltest, Cobalt Strike, Mimikatz and adding a new user. The correlation specifically looks for 5 distinct analyticstories to trigger. Modify or tune as needed for your organization. 5 analytics is an arbitrary number but was chosen to reduce the amount of noise but also require the 2 analytic stories or a ProxyShell and CobaltStrike to fire. Adversaries will exploit the vulnerable Exchange server, abuse SSRF, drop a web shell, utilize the PowerShell Exchange modules and begin post-exploitation. how_to_implement = To implement this correlation, you will need to enable ProxyShell, ProxyNotShell and Cobalt Strike analytic stories (the anaytics themselves) and ensure proper data is being collected for Web and Endpoint datamodels. Run the correlation rule seperately to validate it is not triggering too much or generating incorrectly. Validate by running ProxyShell POC code and Cobalt Strike behavior. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} known_false_positives = False positives will be limited, however tune or modify the query as needed. providing_technologies = null @@ -15682,7 +15892,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic is static indicators related to CVE-2022-22963, Spring4Shell. The 3 indicators provide an amount of fidelity that source IP is attemping to exploit a web shell on the destination. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity. how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = The jsp file names are static names used in current proof of concept code. = providing_technologies = null @@ -15692,7 +15902,7 @@ asset_type = Database Server confidence = medium explanation = The following analytic detects long URLs that contain multiple SQL commands. A proactive approach helps to detect and respond to potential threats earlier, mitigating the risks associated with SQL injection attacks. This detection is made by a Splunk query that searches for web traffic data where the destination category is a web server and the URL length is greater than 1024 characters or the HTTP user agent length is greater than 200 characters. This detection is important because it suggests that an attacker is attempting to exploit a web application through SQL injection. SQL injection is a common technique used by attackers to exploit vulnerabilities in web applications and gain unauthorized access to databases. Attackers can insert malicious SQL commands into a URL to manipulate the application's database and retrieve sensitive information or modify data. The impact of a successful SQL injection attack can be severe, potentially leading to data breaches, unauthorized access, and even complete compromise of the affected system. False positives might occur since the legitimate use of web applications or specific URLs in your environment can trigger the detection. Therefore, you must review and validate any alerts generated by this analytic before taking any action. Next steps include reviewing the source and destination of the web traffic, as well as the specific URL and HTTP user agent. Additionally, capture and analyze any relevant on-disk artifacts and review concurrent processes to determine the source of the attack. how_to_implement = To successfully implement this search, you need to be monitoring network communications to your web servers or ingesting your HTTP logs and populating the Web data model. You must also identify your web servers in the Enterprise Security assets table. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} known_false_positives = It's possible that legitimate traffic will have long URLs or long user agent strings and that common SQL commands may be found within the URL. Please investigate as appropriate. providing_technologies = null @@ -15702,7 +15912,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic detects the presence of the Supernova webshell, which was used in the SUNBURST attack. This webshell can be used by attackers to gain unauthorized access to a compromised system and run arbitrary code. This detection is made by a Splunk query that searches for specific patterns in web URLs, including "*logoimagehandler.ashx*codes*", "*logoimagehandler.ashx*clazz*", "*logoimagehandler.ashx*method*", and "*logoimagehandler.ashx*args*". These patterns are commonly used by the Supernova webshell to communicate with its command and control server. This detection is important because it indicates a potential compromise and unauthorized access to the system to run arbitrary code, which can lead to data theft, ransomware, or other damaging outcomes. False positives might occur since the patterns used by the webshell can also be present in legitimate web traffic. In such cases, tune the search to the specific environment and monitor it closely for any suspicious activity. Next steps include reviewing the web URLs and inspecting any relevant on-disk artifacts. Additionally, review concurrent processes and network connections to identify the source of the attack. how_to_implement = To successfully implement this search, you need to be monitoring web traffic to your Solarwinds Orion. The logs should be ingested into splunk and populating/mapped to the Web data model. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1505.003", "T1133"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1133"], "nist": ["DE.CM"]} known_false_positives = There might be false positives associted with this detection since items like args as a web argument is pretty generic. providing_technologies = null @@ -15715,7 +15925,7 @@ The analytic operates by monitoring web traffic, specifically HTTP POST requests The behavior this analytic detects is the sending of HTTP POST requests to the vulnerable endpoint. This is a significant indicator of an attempted exploit as it is the primary method used to trigger the vulnerability. The analytic detects this behavior by analyzing web traffic data and identifying HTTP POST requests directed at the vulnerable endpoint.\ Identifying this behavior is crucial for a Security Operations Center (SOC) as it can indicate an active attempt to exploit a known vulnerability within the network. If the identified behavior is a true positive, it suggests an attacker is attempting to exploit the CVE-2023-20887 vulnerability in VMWare vRealize Network Insight. The impact of such an attack could be severe, potentially allowing the attacker to execute arbitrary code on the affected system, leading to unauthorized access, data theft, or further propagation within the network. how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. Restrict to specific dest assets to reduce false positives. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1133", "T1190", "T1210", "T1068"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation", "Exploitation"], "mitre_attack": ["T1133", "T1190", "T1210", "T1068"], "nist": ["DE.CM"]} known_false_positives = False positives will be present based on gateways in use, modify the status field as needed. providing_technologies = null @@ -15725,7 +15935,7 @@ asset_type = Web Server confidence = medium explanation = The following hunting analytic identifies the server side template injection related to CVE-2022-22954, however is a variation found within the same endpoint of the URL scheme. how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} known_false_positives = False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed. providing_technologies = null @@ -15735,7 +15945,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic identifies the server side template injection related to CVE-2022-22954. Based on the scanning activity across the internet and proof of concept code available the template injection occurs at catalog-portal/ui/oauth/verify?error=&deviceudid=. Upon triage, review parallel processes and VMware logs. Following the deviceudid= may be a command to be executed. Capture any file creates and review modified files on disk. how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} known_false_positives = False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed. providing_technologies = null @@ -15745,7 +15955,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic identifies the common URL requests used by a recent CVE - CVE-2022-22965, or Spring4Shell, to access a webshell on the remote webserver. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity. how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to servers. providing_technologies = null @@ -15755,7 +15965,7 @@ asset_type = web server confidence = medium explanation = The following analytic identifies an attempt to access the Remote ShellServlet on a web server. This servlet is used to execute commands on the server. This activity is often associated with web shells and other malicious activity. This activity was identified against a Confluence server related to CVE-2023-22518 and CVE-2023-22515. Activity prior to access to the shell servlet include adding a plugin to Confluence. In addition, monitor for ShellServlet?act=3, ShellServlet or obfuscated variations including Sh3llServlet1. how_to_implement = The following analytic requires collection of Web data. The data can be collected via Splunk Stream, or by using the Splunk Add-on for Apache Web Server. The analytic does not require any additional configuration. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} known_false_positives = False positives may be present based on the web server configuration. If the web server is configured to use the Remote ShellServlet, then this analytic will not be a true positive. providing_technologies = null @@ -15765,7 +15975,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic identifies the payload related to Spring4Shell, CVE-2022-22965. This analytic uses Splunk Stream HTTP to view the http request body, form data. STRT reviewed all the current proof of concept code and determined the commonality with the payloads being passed used the same fields "class.module.classLoader.resources.context.parent.pipeline.first". how_to_implement = To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = False positives may occur and filtering may be required. Restrict analytic to asset type. providing_technologies = null @@ -15775,7 +15985,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic identifies activity related to the web application Spring Cloud Function that was recently idenfied as vulnerable. This is CVE-2022-22963. Multiple proof of concept code was released. The URI that is hit includes `functionrouter`. The specifics of the exploit include a status of 500. In this query we did not include it, but for filtering you can add Web.status=500. The exploit data itself (based on all the POCs) is located in the form_data field. This field will include all class.modules being called. how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to servers. providing_technologies = null @@ -15785,7 +15995,7 @@ asset_type = Web server confidence = medium explanation = The following analytic utilizes the Web datamodel and identifies the ProxyShell or ProxyNotShell abuse. This vulnerability is a Server Side Request Forgery (SSRF) vulnerability, which is a web vulnerability that allows an adversary to exploit vulnerable functionality to access server side or local network services by affectively traversing the external firewall using vulnerable web functionality. This analytic looks for the URI path and query of autodiscover, powershell and mapi along with a POST occurring. It will tally a simple score and show the output of the events that match. This analytic may be added to by simply creating a new eval statement and modifying the hardcode digit for Score. how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic, Exchange OR IIS logs, mapped to `Web` datamodel in the `Web` node. In addition, confirm the latest CIM App 4.20 or higher is installed. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = False positives are limited. providing_technologies = null @@ -15795,7 +16005,7 @@ asset_type = Web server confidence = medium explanation = The following analytic is designed to detect a Remote Code Execution (RCE) vulnerability (CVE-2023-40044) in WS_FTP, a managed file transfer software by Progress. The search specifically looks for HTTP requests to the "/AHT/AhtApiService.asmx/AuthUser" URL with a status of 200, which could indicate an exploitation attempt. how_to_implement = The following analytic requires the Web datamodel. Ensure data source is mapped correctly or modify and tune for your data source. -annotations = {"cis20": ["CIS 13"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} known_false_positives = If WS_FTP Server is not in use, this analytic will not return results. Monitor and tune for your environment. Note the MetaSploit module is focused on only hitting /AHT/ and not the full /AHT/AhtApiService.asmx/AuthUser URL. providing_technologies = null @@ -16114,7 +16324,7 @@ version = 2 references = ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://attack.mitre.org/techniques/T1586/", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.varonis.com/blog/azure-active-directory", "https://www.barracuda.com/glossary/account-takeover"] maintainers = [{"company": "Splunk", "email": "-", "name": "Mauricio Velazco"}] spec_version = 3 -searches = ["ESCU - Azure Active Directory High Risk Sign-in - Rule", "ESCU - Azure AD Authentication Failed During MFA Challenge - Rule", "ESCU - Azure AD Block User Consent For Risky Apps Disabled - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD Device Code Authentication - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD Multi-Factor Authentication Disabled - Rule", "ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule", "ESCU - Azure AD Multiple AppIDs and UserAgents Authentication Spike - Rule", "ESCU - Azure AD Multiple Denied MFA Requests For User - Rule", "ESCU - Azure AD Multiple Failed MFA Requests For User - Rule", "ESCU - Azure AD Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD OAuth Application Consent Granted By User - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Azure AD Successful PowerShell Authentication - Rule", "ESCU - Azure AD Successful Single-Factor Authentication - Rule", "ESCU - Azure AD Unusual Number of Failed Authentications From Ip - Rule", "ESCU - Azure AD User Consent Blocked for Risky Application - Rule", "ESCU - Azure AD User Consent Denied for OAuth Application - Rule"] +searches = ["ESCU - Azure Active Directory High Risk Sign-in - Rule", "ESCU - Azure AD Authentication Failed During MFA Challenge - Rule", "ESCU - Azure AD Block User Consent For Risky Apps Disabled - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD Device Code Authentication - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD Multi-Factor Authentication Disabled - Rule", "ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule", "ESCU - Azure AD Multiple AppIDs and UserAgents Authentication Spike - Rule", "ESCU - Azure AD Multiple Denied MFA Requests For User - Rule", "ESCU - Azure AD Multiple Failed MFA Requests For User - Rule", "ESCU - Azure AD Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD OAuth Application Consent Granted By User - Rule", "ESCU - Azure AD Service Principal Authentication - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Azure AD Successful PowerShell Authentication - Rule", "ESCU - Azure AD Successful Single-Factor Authentication - Rule", "ESCU - Azure AD Unusual Number of Failed Authentications From Ip - Rule", "ESCU - Azure AD User Consent Blocked for Risky Application - Rule", "ESCU - Azure AD User Consent Denied for OAuth Application - Rule"] description = Monitor for activities and techniques associated with Account Takover attacks against Azure Active Directory tenants. narrative = Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential compromise of Azure Active Directory accounts. @@ -16125,7 +16335,7 @@ version = 1 references = ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://attack.mitre.org/tactics/TA0003/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/Persistence/"] maintainers = [{"company": "Splunk", "email": "-", "name": "Mauricio Velazco"}] spec_version = 3 -searches = ["ESCU - Azure AD External Guest User Invited - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD New Custom Domain Added - Rule", "ESCU - Azure AD New Federated Domain Added - Rule", "ESCU - Azure AD New MFA Method Registered - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Role Assigned - Rule", "ESCU - Azure AD Service Principal Created - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule", "ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule", "ESCU - Azure AD User Enabled And Password Reset - Rule", "ESCU - Azure AD User ImmutableId Attribute Updated - Rule", "ESCU - Azure Automation Account Created - Rule", "ESCU - Azure Automation Runbook Created - Rule", "ESCU - Azure Runbook Webhook Created - Rule"] +searches = ["ESCU - Azure AD External Guest User Invited - Rule", "ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD Multiple Service Principals Created by SP - Rule", "ESCU - Azure AD Multiple Service Principals Created by User - Rule", "ESCU - Azure AD New Custom Domain Added - Rule", "ESCU - Azure AD New Federated Domain Added - Rule", "ESCU - Azure AD New MFA Method Registered - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Graph API Permission Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned - Rule", "ESCU - Azure AD Service Principal Created - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule", "ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule", "ESCU - Azure AD User Enabled And Password Reset - Rule", "ESCU - Azure AD User ImmutableId Attribute Updated - Rule", "ESCU - Azure Automation Account Created - Rule", "ESCU - Azure Automation Runbook Created - Rule", "ESCU - Azure Runbook Webhook Created - Rule"] description = Monitor for activities and techniques associated with the execution of Persistence techniques against Azure Active Directory tenants. narrative = Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day.\ Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. This analytic storic groups detections that can help security operations teams identify the potential execution of Persistence techniques targeting Azure Active Directory tenants. @@ -16136,7 +16346,7 @@ version = 1 references = ["https://attack.mitre.org/tactics/TA0003/", "https://cloudbrothers.info/en/azure-attack-paths/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/PrivEsc/", "https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5"] maintainers = [{"company": "Splunk", "email": "-", "name": "Mauricio Velazco"}] spec_version = 3 -searches = ["ESCU - Azure AD Application Administrator Role Assigned - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Authentication Administrator Role Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule"] +searches = ["ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule", "ESCU - Azure AD Application Administrator Role Assigned - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Authentication Administrator Role Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule"] description = Monitor for activities and techniques associated with Privilege Escalation attacks within Azure Active Directory tenants. narrative = Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations or vulnerabilities.\ Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365 and Microsoft Teams. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day.\ @@ -16667,7 +16877,7 @@ version = 1 references = ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"] maintainers = [{"company": "Splunk", "email": "-", "name": "Rod Soto"}] spec_version = 3 -searches = ["ESCU - Kubernetes AWS detect most active service accounts by pod - Rule", "ESCU - Kubernetes AWS detect sensitive role access - Rule", "ESCU - Kubernetes Azure active service accounts by pod namespace - Rule", "ESCU - Kubernetes Azure detect RBAC authorization by account - Rule", "ESCU - Kubernetes Azure detect sensitive role access - Rule", "ESCU - Kubernetes GCP detect most active service accounts by pod - Rule", "ESCU - Kubernetes GCP detect RBAC authorizations by account - Rule", "ESCU - Kubernetes GCP detect sensitive role access - Rule", "ESCU - Get Notable History - Response Task"] +searches = ["ESCU - Kubernetes AWS detect most active service accounts by pod - Rule", "ESCU - Kubernetes AWS detect RBAC authorization by account - Rule", "ESCU - Kubernetes AWS detect sensitive role access - Rule", "ESCU - Kubernetes Azure active service accounts by pod namespace - Rule", "ESCU - Kubernetes Azure detect RBAC authorization by account - Rule", "ESCU - Kubernetes Azure detect sensitive role access - Rule", "ESCU - Kubernetes GCP detect most active service accounts by pod - Rule", "ESCU - Kubernetes GCP detect RBAC authorizations by account - Rule", "ESCU - Kubernetes GCP detect sensitive role access - Rule", "ESCU - Get Notable History - Response Task"] description = This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against cluster resources and namespaces. narrative = Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive roles within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes role activities @@ -17117,7 +17327,7 @@ version = 1 references = ["https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse", "https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml", "https://github.com/rapid7/metasploit-framework/pull/18708/files", "https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis", "https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/", "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/", "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day", "https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US"] maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] spec_version = 3 -searches = ["ESCU - Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint - Rule", "ESCU - Ivanti Connect Secure Command Injection Attempts - Rule", "ESCU - Ivanti Connect Secure System Information Access via Auth Bypass - Rule"] +searches = ["ESCU - Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint - Rule", "ESCU - Ivanti Connect Secure Command Injection Attempts - Rule", "ESCU - Ivanti Connect Secure SSRF in SAML Component - Rule", "ESCU - Ivanti Connect Secure System Information Access via Auth Bypass - Rule"] description = The following analytic story addresses critical vulnerabilities CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure and Ivanti Policy Secure Gateways. CVE-2023-46805 is an authentication bypass vulnerability, while CVE-2024-21887 is a command injection flaw, both presenting significant risks in versions 9.x and 22.x. Combined, these vulnerabilities enable unauthenticated threat actors to execute arbitrary commands, compromising system integrity. Immediate mitigation is imperative, with patches scheduled for staggered release. Ivanti has provided interim mitigation steps, and it's crucial for customers to apply these measures to protect their systems against potential exploits. narrative = Ivanti Connect Secure and Ivanti Policy Secure gateways face a severe security challenge with the discovery of CVE-2023-46805 and CVE-2024-21887. CVE-2023-46805 allows attackers to bypass authentication in critical web components of versions 9.x and 22.x. More alarmingly, when paired with CVE-2024-21887, a command injection vulnerability, it enables remote attackers to execute arbitrary commands without authentication. This combination poses a heightened threat, undermining the security of enterprise networks. Ivanti has mobilized resources to address these vulnerabilities, offering immediate mitigation advice and scheduling patch releases. Customers are urged to apply these mitigations without delay to safeguard their networks. @@ -17491,13 +17701,13 @@ narrative = NjRat is also known as Bladabindi malware that was first discovered [analytic_story://NOBELIUM Group] category = Adversary Tactics last_updated = 2020-12-14 -version = 2 -references = ["https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/"] -maintainers = [{"company": "Michael Haag, Splunk", "email": "-", "name": "Patrick Bareiss"}] +version = 3 +references = ["https://attack.mitre.org/groups/G0016/", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/"] +maintainers = [{"company": "Michael Haag, Mauricio Velazco, Splunk", "email": "-", "name": "Patrick Bareiss"}] spec_version = 3 -searches = ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Sunburst Correlation DLL and Network Event - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Supernova Webshell - Rule"] -description = Sunburst is a trojanized updates to SolarWinds Orion IT monitoring and management software. It was discovered by FireEye in December 2020. The actors behind this campaign gained access to numerous public and private organizations around the world. -narrative = This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) of the NOBELIUM Group. The threat actor behind sunburst compromised the SolarWinds.Orion.Core.BusinessLayer.dll, is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. The detections in this Analytic Story are focusing on the dll loading events, file create events and network events to detect This malware. +searches = ["ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule", "ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule", "ESCU - Azure AD Multiple Service Principals Created by SP - Rule", "ESCU - Azure AD Multiple Service Principals Created by User - Rule", "ESCU - Azure AD Privileged Graph API Permission Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule", "ESCU - Azure AD Service Principal Authentication - Rule", "ESCU - Azure AD Service Principal Created - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule", "ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Application Registration Owner Added - Rule", "ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 FullAccessAsApp Permission Assigned - Rule", "ESCU - O365 Multi-Source Failed Authentications Spike - Rule", "ESCU - O365 Multiple Mailboxes Accessed via API - Rule", "ESCU - O365 Multiple Service Principals Created by SP - Rule", "ESCU - O365 Multiple Service Principals Created by User - Rule", "ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - O365 OAuth App Mailbox Access via EWS - Rule", "ESCU - O365 OAuth App Mailbox Access via Graph API - Rule", "ESCU - O365 Privileged Graph API Permission Assigned - Rule", "ESCU - O365 Service Principal New Client Credentials - Rule", "ESCU - O365 Tenant Wide Admin Consent Granted - Rule", "ESCU - Anomalous usage of 7zip - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Sunburst Correlation DLL and Network Event - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Supernova Webshell - Rule"] +description = NOBELIUM, also known as APT29, The Dukes, Cozy Bear, CozyDuke, Blue Kitsune, and Midnight Blizzard, is a sophisticated nation-state threat actor, reportedly associated with Russian intelligence. Active since at least 2008, this group primarily targets government networks in Europe and NATO member countries, along with research institutes and think tanks. Their operations typically involve advanced persistent threats (APT), leveraging techniques like spear-phishing, malware deployment, and long-term network compromise to achieve information theft and espionage. Notably, APT29 has been implicated in significant cyber espionage incidents, including the 2015 breach of the Pentagon's Joint Staff email system and attacks on the Democratic National Committee in 2016. Their advanced tactics and persistent approach underscore the serious nature of threats posed by this group to global cybersecurity. +narrative = This Analytic Story groups detections designed to trigger on a comprehensive range of Tactics, Techniques, and Procedures (TTPs) leveraged by the NOBELIUM Group, with a focus on their methods as observed in well-known public breaches. [analytic_story://Office 365 Account Takeover] category = Adversary Tactics @@ -17517,10 +17727,21 @@ version = 1 references = ["https://attack.mitre.org/tactics/TA0003/", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en", "https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf", "https://www.csoonline.com/article/570381/microsoft-365-advanced-audit-what-you-need-to-know.html", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners", "https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf"] maintainers = [{"company": "Patrick Bareiss, Splunk", "email": "-", "name": "Mauricio Velazco"}] spec_version = 3 -searches = ["ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Advanced Audit Disabled - Rule", "ESCU - O365 Application Registration Owner Added - Rule", "ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 Bypass MFA via Trusted IP - Rule", "ESCU - O365 Disable MFA - Rule", "ESCU - O365 High Privilege Role Granted - Rule", "ESCU - O365 Mailbox Inbox Folder Shared with All Users - Rule", "ESCU - O365 Mailbox Read Access Granted to Application - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - O365 New MFA Method Registered - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Service Principal New Client Credentials - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious Rights Delegation - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule", "ESCU - O365 Tenant Wide Admin Consent Granted - Rule"] +searches = ["ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Admin Consent Bypassed by Service Principal - Rule", "ESCU - O365 Advanced Audit Disabled - Rule", "ESCU - O365 Application Registration Owner Added - Rule", "ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 Bypass MFA via Trusted IP - Rule", "ESCU - O365 Disable MFA - Rule", "ESCU - O365 FullAccessAsApp Permission Assigned - Rule", "ESCU - O365 High Privilege Role Granted - Rule", "ESCU - O365 Multiple Service Principals Created by SP - Rule", "ESCU - O365 Multiple Service Principals Created by User - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - O365 New MFA Method Registered - Rule", "ESCU - O365 Privileged Graph API Permission Assigned - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Service Principal New Client Credentials - Rule", "ESCU - O365 Tenant Wide Admin Consent Granted - Rule"] description = Monitor for activities and anomalies indicative of potential persistence techniques within Office 365 environments. narrative = Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The "Office 365 Persistence Mechanisms" analytic story delves into the tactics and techniques attackers employ to maintain prolonged unauthorized access within the O365 environment. Persistence in this context refers to methods used by adversaries to keep their foothold after an initial compromise. This can involve actions like modifying mailbox rules, establishing covert forwarding rules, manipulating application permissions. By monitoring signs of persistence, organizations can effectively detect and respond to stealthy threats, thereby protecting their O365 assets and data. +[analytic_story://Office 365 Collection Techniques] +category = Adversary Tactics +last_updated = 2024-02-12 +version = 1 +references = [] +maintainers = [{"company": "Splunk", "email": "-", "name": "Mauricio Velazco"}] +spec_version = 3 +searches = ["ESCU - O365 Mailbox Inbox Folder Shared with All Users - Rule", "ESCU - O365 Mailbox Read Access Granted to Application - Rule", "ESCU - O365 Multiple Mailboxes Accessed via API - Rule", "ESCU - O365 OAuth App Mailbox Access via EWS - Rule", "ESCU - O365 OAuth App Mailbox Access via Graph API - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious Rights Delegation - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule"] +description = Monitor for activities and anomalies indicative of potential collection techniques within Office 365 environments. +narrative = Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The 'Office 365 Collection Techniques' analytic story focuses on the strategies and methodologies that attackers might use to gather critical information within the O365 ecosystem. 'Collection' in this context refers to the various techniques adversaries deploy to accumulate data that are essential for advancing their malicious objectives. This could include tactics such as intercepting communications, accessing sensitive documents, or extracting data from collaboration tools and email platforms. By identifying and monitoring these collection activities, organizations can more effectively spot and counteract attempts to illicitly gather information + [analytic_story://Okta MFA Exhaustion] category = Adversary Tactics last_updated = 2022-09-27 @@ -17582,6 +17803,17 @@ searches = ["ESCU - PetitPotam Network Share Access Request - Rule", "ESCU - Pet description = PetitPotam (CVE-2021-36942,) is a vulnerablity identified in Microsofts EFSRPC Protocol that can allow an unauthenticated account to escalate privileges to domain administrator given the right circumstances. narrative = In June 2021, security researchers at SpecterOps released a blog post and white paper detailing several potential attack vectors against Active Directory Certificated Services (ADCS). ADCS is a Microsoft product that implements Public Key Infrastrucutre (PKI) functionality and can be used by organizations to provide and manage digital certiticates within Active Directory.\ In July 2021, a security researcher released PetitPotam, a tool that allows attackers to coerce Windows systems into authenticating to arbitrary endpoints.\ Combining PetitPotam with the identified ADCS attack vectors allows attackers to escalate privileges from an unauthenticated anonymous user to full domain admin privileges. +[analytic_story://Phemedrone Stealer] +category = Malware +last_updated = 2024-01-24 +version = 2 +references = ["https://www.trendmicro.com/en_vn/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html"] +maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] +spec_version = 3 +searches = ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule"] +description = Phemedrone Stealer is a potent data-stealing malware designed to infiltrate systems discreetly, primarily targeting sensitive user information. Operating with a stealthy modus operandi, it covertly collects and exfiltrates critical data such as login credentials, personal details, and financial information. Notably evasive, Phemedrone employs sophisticated techniques to bypass security measures and remain undetected. Its capabilities extend to exploiting vulnerabilities, leveraging command and control infrastructure, and facilitating remote access. As a formidable threat, Phemedrone Stealer poses a significant risk to user privacy and system integrity, demanding vigilant cybersecurity measures to counteract its malicious activities. +narrative = Phemedrone Stealer, spotlighted in a recent Trend Micro blog, unveils a concerning chapter in cyber threats. Leveraging the CVE-2023-36025 vulnerability for defense evasion, this malware exhibits a relentless pursuit of sensitive data. Originating from the shadows of the dark web, it capitalizes on forums where cybercriminals refine its evasive maneuvers. The blog sheds light on Phemedrone's exploitation of intricate tactics, illustrating its agility in sidestepping security protocols. As cybersecurity experts delve into the intricacies of CVE-2023-36025, the narrative surrounding Phemedrone Stealer underscores the urgency for heightened vigilance and proactive defense measures against this persistent and evolving digital adversary. + [analytic_story://PlugX] category = Malware last_updated = 2023-10-12 @@ -18584,7 +18816,7 @@ version = 2 references = ["https://attack.mitre.org/tactics/TA0004/"] maintainers = [{"company": "Splunk", "email": "-", "name": "David Dorsey"}] spec_version = 3 -searches = ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"] +searches = ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows Privilege Escalation Suspicious Process Elevation - Rule", "ESCU - Windows Privilege Escalation System Process Without System Parent - Rule", "ESCU - Windows Privilege Escalation User Process Spawn System Process - Rule", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"] description = Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more. narrative = Privilege escalation is a "land-and-expand" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Windows machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment. diff --git a/dist/DA-ESS-ContentUpdate/default/app.conf b/dist/DA-ESS-ContentUpdate/default/app.conf index 7b5b0f8b9a..08ab061859 100644 --- a/dist/DA-ESS-ContentUpdate/default/app.conf +++ b/dist/DA-ESS-ContentUpdate/default/app.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2024-02-14T00:54:24 UTC +# On Date: 2024-02-15T21:06:12 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# @@ -10,7 +10,7 @@ is_configured = false state = enabled state_change_requires_restart = false -build = 20240214005416 +build = 20240215210124 [triggers] reload.analytic_stories = simple @@ -26,7 +26,7 @@ reload.es_investigations = simple [launcher] author = Splunk -version = 4.23.0 +version = 4.24.0 description = Explore the Analytic Stories included with ES Content Updates. [ui] diff --git a/dist/DA-ESS-ContentUpdate/default/collections.conf b/dist/DA-ESS-ContentUpdate/default/collections.conf index 8a003046ed..5ab611aff0 100644 --- a/dist/DA-ESS-ContentUpdate/default/collections.conf +++ b/dist/DA-ESS-ContentUpdate/default/collections.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2024-02-14T00:54:24 UTC +# On Date: 2024-02-15T21:06:12 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/content-version.conf b/dist/DA-ESS-ContentUpdate/default/content-version.conf index e09d34a599..89aa27b54b 100644 --- a/dist/DA-ESS-ContentUpdate/default/content-version.conf +++ b/dist/DA-ESS-ContentUpdate/default/content-version.conf @@ -1,8 +1,8 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2024-02-14T00:54:24 UTC +# On Date: 2024-02-15T21:06:12 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# [content-version] -version = 4.23.0 \ No newline at end of file +version = 4.24.0 \ No newline at end of file diff --git a/dist/DA-ESS-ContentUpdate/default/es_investigations.conf b/dist/DA-ESS-ContentUpdate/default/es_investigations.conf index f5420bf0ec..14000bb346 100644 --- a/dist/DA-ESS-ContentUpdate/default/es_investigations.conf +++ b/dist/DA-ESS-ContentUpdate/default/es_investigations.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2024-02-14T00:54:24 UTC +# On Date: 2024-02-15T21:06:12 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# diff --git a/dist/DA-ESS-ContentUpdate/default/macros.conf b/dist/DA-ESS-ContentUpdate/default/macros.conf index aefb43798b..2f615772d5 100644 --- a/dist/DA-ESS-ContentUpdate/default/macros.conf +++ b/dist/DA-ESS-ContentUpdate/default/macros.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2024-02-14T00:54:24 UTC +# On Date: 2024-02-15T21:06:12 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# @@ -633,6 +633,10 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[azure_ad_admin_consent_bypassed_by_service_principal_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [azure_ad_application_administrator_role_assigned_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -657,6 +661,10 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[azure_ad_fullaccessasapp_permission_assigned_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [azure_ad_global_administrator_role_assigned_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -689,6 +697,14 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[azure_ad_multiple_service_principals_created_by_sp_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + +[azure_ad_multiple_service_principals_created_by_user_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [azure_ad_multiple_users_failing_to_authenticate_from_ip_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -725,6 +741,10 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[azure_ad_privileged_graph_api_permission_assigned_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [azure_ad_privileged_role_assigned_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -733,6 +753,10 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[azure_ad_service_principal_authentication_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [azure_ad_service_principal_created_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -1121,6 +1145,10 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[o365_admin_consent_bypassed_by_service_principal_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [o365_advanced_audit_disabled_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -1161,6 +1189,10 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[o365_fullaccessasapp_permission_assigned_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [o365_high_number_of_failed_authentications_for_user_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -1193,6 +1225,18 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[o365_multiple_mailboxes_accessed_via_api_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + +[o365_multiple_service_principals_created_by_sp_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + +[o365_multiple_service_principals_created_by_user_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [o365_multiple_users_failing_to_authenticate_from_ip_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -1205,6 +1249,18 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[o365_oauth_app_mailbox_access_via_ews_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + +[o365_oauth_app_mailbox_access_via_graph_api_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + +[o365_privileged_graph_api_permission_assigned_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [o365_pst_export_alert_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -1421,6 +1477,10 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[kubernetes_aws_detect_rbac_authorization_by_account_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [kubernetes_aws_detect_sensitive_role_access_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -3165,6 +3225,10 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[network_traffic_to_active_directory_web_services_protocol_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [nishang_powershelltcponeline_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -5225,6 +5289,18 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[windows_privilege_escalation_suspicious_process_elevation_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + +[windows_privilege_escalation_system_process_without_system_parent_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + +[windows_privilege_escalation_user_process_spawn_system_process_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [windows_process_commandline_discovery_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -5501,6 +5577,10 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[windows_soaphound_binary_execution_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -6033,6 +6113,10 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[ivanti_connect_secure_ssrf_in_saml_component_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [ivanti_connect_secure_system_information_access_via_auth_bypass_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -6431,10 +6515,6 @@ description = customer specific splunk configurations(eg- index, source, sourcet definition = (eventName = CreateNetworkAcl OR eventName = CreateNetworkAclEntry OR eventName = DeleteNetworkAcl OR eventName = DeleteNetworkAclEntry OR eventName = ReplaceNetworkAclEntry OR eventName = ReplaceNetworkAclAssociation) description = This is a list of AWS event names that are associated with Network ACLs -[notable] -definition = index=notable -description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. - [o365_graph] definition = sourcetype=o365:graph:api description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. diff --git a/dist/DA-ESS-ContentUpdate/default/savedsearches.conf b/dist/DA-ESS-ContentUpdate/default/savedsearches.conf index 213380c23f..4c62cd3909 100644 --- a/dist/DA-ESS-ContentUpdate/default/savedsearches.conf +++ b/dist/DA-ESS-ContentUpdate/default/savedsearches.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2024-02-14T00:54:24 UTC +# On Date: 2024-02-15T21:06:12 UTC # Author: Splunk Threat Research Team - Splunk # Contact: research@splunk.com ############# @@ -56,7 +56,7 @@ search = | tstats `security_content_summariesonly` count earliest(_time) as earl action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic uses a pretrained machine learning text classifier to detect potentially risky commands. The model is trained independently and then the model file is packaged within ESCU for usage. A command is deemed risky based on the presence of certain trigger keywords, along with the context and the role of the user (please see references). The model uses custom features to predict whether a SPL is risky using text classification. The model takes as input the command text, user and search type and outputs a risk score between [0,1]. A high score indicates higher likelihood of a command being risky. This model is on-prem only. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Splunk_Audit"] action.escu.eli5 = The following analytic uses a pretrained machine learning text classifier to detect potentially risky commands. The model is trained independently and then the model file is packaged within ESCU for usage. A command is deemed risky based on the presence of certain trigger keywords, along with the context and the role of the user (please see references). The model uses custom features to predict whether a SPL is risky using text classification. The model takes as input the command text, user and search type and outputs a risk score between [0,1]. A high score indicates higher likelihood of a command being risky. This model is on-prem only. action.escu.how_to_implement = This detection depends on the MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and the Splunk Audit datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. Additionally, you need to be ingesting logs which include Search_Activity.search, Search_Activity.user, Search_Activity.search_type from your endpoints. The risk score threshold should be adjusted based on the environment. The detection uses a custom MLTK model hence we need a few more steps for deployment, as outlined here - https://gist.github.com/ksharad-splunk/be2a62227966049047f5e5c4f2adcabb. @@ -79,7 +79,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect Risky SPL using Pretrained ML Model - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 40, "cve": ["CVE-2022-32154"], "impact": 50, "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 40, "cve": ["CVE-2022-32154"], "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -138,7 +138,7 @@ search = | tstats `security_content_summariesonly` count values(All_Email.recipi action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The search looks at the change-analysis data model and detects email files created outside the normal Outlook directory. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1114", "T1114.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks at the change-analysis data model and detects email files created outside the normal Outlook directory. action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes. @@ -161,7 +161,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Email files written outside of the Outlook directory - Rule -action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1114", "T1114.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -184,7 +184,7 @@ search = | tstats `security_content_summariesonly` count values(Filesystem.file_ action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for an increase of data transfers from your email server to your clients. This could be indicative of a malicious actor collecting data using your email server. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.AE"]} action.escu.data_models = ["Network_Traffic"] action.escu.eli5 = This search looks for an increase of data transfers from your email server to your clients. This could be indicative of a malicious actor collecting data using your email server. action.escu.how_to_implement = This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as "email_server" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The "deviation_threshold" field is a multiplying factor to control how much variation you're willing to tolerate. The "minimum_data_samples" field is the minimum number of connections of data samples required for the statistic to be valid. @@ -207,7 +207,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Email servers sending high volume traffic to hosts - Rule -action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging", "HAFNIUM Group"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging", "HAFNIUM Group"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -270,7 +270,7 @@ search = | tstats `security_content_summariesonly` values(All_Email.recipient) a action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This hunting analytic identifies multiple failed logon attempts from a single IP. Use this analytic to identify patterns of suspicious logins from a single source and filter as needed or use this to drive tuning for higher fidelity analytics. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This hunting analytic identifies multiple failed logon attempts from a single IP. Use this analytic to identify patterns of suspicious logins from a single source and filter as needed or use this to drive tuning for higher fidelity analytics. action.escu.how_to_implement = This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment. @@ -288,7 +288,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Multiple Okta Users With Invalid Credentials From The Same IP - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -340,7 +340,7 @@ search = | tstats `security_content_summariesonly` max(_time) as lastTime from d action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic utilizes the user.acount.lock event to identify associates who are locked out of Okta. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes the user.acount.lock event to identify associates who are locked out of Okta. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold. action.escu.how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. @@ -355,7 +355,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Okta Activity", "Okta MFA Exhaustion"] action.risk = 1 action.risk.param._risk_message = $src_user$ account has been locked out. -action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 64}] +action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -363,7 +363,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Okta Account Locked Out - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity", "Okta MFA Exhaustion"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1110"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity", "Okta MFA Exhaustion"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -380,7 +380,7 @@ search = `okta` eventType=user.account.lock | stats count min(_time) as firstTim action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following anomaly will generate based on account lockout events utilizing Okta eventTypes of user.account.lock.limit or user.account.lock. Per the Okta docs site, this event is fired when a user account has reached the lockout limit. The account will not auto-unlock and a user or client cannot gain access to the account. This event indicates an account that will not be able to log in until remedial action is taken by the account admin. This event can be used to understand the specifics of an account lockout. Often this indicates a client application that is repeatedly attempting to authenticate with invalid credentials such as an old password. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following anomaly will generate based on account lockout events utilizing Okta eventTypes of user.account.lock.limit or user.account.lock. Per the Okta docs site, this event is fired when a user account has reached the lockout limit. The account will not auto-unlock and a user or client cannot gain access to the account. This event indicates an account that will not be able to log in until remedial action is taken by the account admin. This event can be used to understand the specifics of an account lockout. Often this indicates a client application that is repeatedly attempting to authenticate with invalid credentials such as an old password. action.escu.how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. @@ -403,7 +403,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Okta Account Lockout Events - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -420,7 +420,7 @@ search = `okta` eventType IN (user.account.lock.limit,user.account.lock) | renam action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following anomaly identifies failed Okta SSO events utilizing the legacy Okta event "unauth app access attempt". -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following anomaly identifies failed Okta SSO events utilizing the legacy Okta event "unauth app access attempt". action.escu.how_to_implement = This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment. @@ -443,7 +443,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Okta Failed SSO Attempts - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -460,7 +460,7 @@ search = `okta` eventType=app.generic.unauth_app_access_attempt | stats min(_tim action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies patterns within Okta data to determine the amount of successful and failed pushes. Based on that, eval statements determine a finding of whether this is suspicious or not. The events are within a window of time and may be tuned as needed. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = The following analytic identifies patterns within Okta data to determine the amount of successful and failed pushes. Based on that, eval statements determine a finding of whether this is suspicious or not. The events are within a window of time and may be tuned as needed. action.escu.how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. @@ -478,7 +478,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Okta MFA Exhaustion Hunt - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity", "Okta MFA Exhaustion"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "mitre_attack": ["T1110"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity", "Okta MFA Exhaustion"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -504,7 +504,7 @@ In sequence, the logic for the analytic - \ * Groups by SessionID and retrieves any system.push.send_factor_verify_push events (the source of the push) and user.authentication.auth_via_mfa events where the factor is OKTA_VERIFY_PUSH - (the user response to the push) \ * Counts the total number of push events, successful authentication events, and any push sources where the client is a new device. \ * Creates a ratio of successful sign-ins to pushes. \ * If the ratio (currently tuned aggressively) indicates push spam, or if a user has rejected a push, the detection proceeds to evaluate whether there is more than one IP address used during the session (session roaming) and the presence of both a new IP and new device during the session. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies variations in client-based values for source and response events to identify suspicious request behavior. The detection is enhanced if the org is evaluating behavior conditions in sign-on policies using Okta Behavior Detection. NOTE: This detection requires the use of Okta Identity Engine (OIE) and will not function on Okta Classic.\ For each Okta Verify Push challenge, the following two events are recorded in Okta System Log \ @@ -536,7 +536,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Okta Mismatch Between Source and Response for Verify Push Request - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity", "Okta MFA Exhaustion"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1621"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity", "Okta MFA Exhaustion"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -572,7 +572,7 @@ description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splu * Groups by User, Session and IP \ * Creates a ratio of successful SSO events to total MFA challenges related to Application Sign On Policies \ * Alerts when more than half of app sign on events are unsuccessful, and challenges were unsatisfied for more than three apps. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1550.004", "T1538"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550.004", "T1538"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies multiple failed app requests in an attempt to identify the reuse a stolen web session cookie. The logic of the analytic is as follows: \ * Retrieves policy evaluation and SSO details in events that contain the Application requested \ * Formats target fields so we can aggregate specifically on Applications (AppInstances) \ @@ -594,7 +594,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Okta Multiple Failed Requests to Access Applications - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "mitre_attack": ["T1550.004", "T1538"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550.004", "T1538"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -611,7 +611,7 @@ search = `okta` target{}.type=AppInstance (eventType=policy.evaluate_sign_on out action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies when a new API token is created. Adversaries who have gained access to a privileged account may add a new token for persistence. This analytic uses the eventType system.api_token.create. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies when a new API token is created. Adversaries who have gained access to a privileged account may add a new token for persistence. This analytic uses the eventType system.api_token.create. action.escu.how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. @@ -626,7 +626,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Okta Activity"] action.risk = 1 action.risk.param._risk_message = $src_user$ has created a new API token within Okta. -action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 64}] +action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -634,7 +634,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Okta New API Token Created - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -657,7 +657,7 @@ search = `okta` eventType=system.api_token.create | stats count min(_time) as fi action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following anomaly will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following anomaly will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta. action.escu.how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. @@ -680,7 +680,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Okta New Device Enrolled on Account - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 60, "impact": 40, "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 60, "impact": 40, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -697,7 +697,7 @@ search = `okta` eventType=system.email.new_device_notification.sent_message disp action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies when Okta''s FastPass prevents known phishing sites. When your users are enrolled in FastPass, Okta can provide defenders a high-fidelity signal for when user applications are being targeted by attackers wielding real-time (AiTM) proxies. Okta''s Defensive Cyber Operations team routinely identifies phishing infrastructure configured to imitate an Okta sign-in page and proactively notify Okta customers when suspicious infrastructure we detect appears to be targeting their users. Since March 2020, we have delivered over 1000 notifications to customers. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.001", "T1556"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1556"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies when Okta''s FastPass prevents known phishing sites. When your users are enrolled in FastPass, Okta can provide defenders a high-fidelity signal for when user applications are being targeted by attackers wielding real-time (AiTM) proxies. Okta''s Defensive Cyber Operations team routinely identifies phishing infrastructure configured to imitate an Okta sign-in page and proactively notify Okta customers when suspicious infrastructure we detect appears to be targeting their users. Since March 2020, we have delivered over 1000 notifications to customers. action.escu.how_to_implement = This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment. @@ -720,7 +720,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Okta Phishing Detection with FastPass Origin Check - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "mitre_attack": ["T1078", "T1078.001", "T1556"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1556"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -743,7 +743,7 @@ search = `okta` eventType="user.authentication.auth_via_mfa" AND result="FAILURE action.escu = 0 action.escu.enabled = 1 description = The following correlation will take risk associated with the content from "Suspicious Okta Activity" and "Okta MFA Exhaustion" analytic stories and tally it up. Once it hits the threshold of 100 (can be changed), it will trigger an a notable. As needed, reduce or raise the risk scores assocaited with the anomaly and TTP analytics tagged to these two analytic stories. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1110"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1110"], "nist": ["DE.AE"]} action.escu.data_models = ["Risk"] action.escu.eli5 = The following correlation will take risk associated with the content from "Suspicious Okta Activity" and "Okta MFA Exhaustion" analytic stories and tally it up. Once it hits the threshold of 100 (can be changed), it will trigger an a notable. As needed, reduce or raise the risk scores assocaited with the anomaly and TTP analytics tagged to these two analytic stories. action.escu.how_to_implement = Ensure "Suspicious Okta Activity" and "Okta MFA Exhaustion" analytic stories are enabled. TTP may be set to Notables for point detections, anomaly should not be notables but risk generators. The correlation relies on risk before generating a notable. Modify the value as needed. Default threshold is 100. This value may need to be increased based on activity in your environment. @@ -761,7 +761,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RIR - Okta Risk Threshold Exceeded - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity", "Okta MFA Exhaustion"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1078", "T1110"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity", "Okta MFA Exhaustion"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1110"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -784,7 +784,7 @@ search = | tstats `security_content_summariesonly` sum(All_Risk.calculated_risk_ action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following event is generated when an associate receives an email from Okta asking if a login attempt was suspicious or not. If the associate identifies it as suspicious an event is generated and should be reviewed. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following event is generated when an associate receives an email from Okta asking if a login attempt was suspicious or not. If the associate identifies it as suspicious an event is generated and should be reviewed. action.escu.how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. It also requires that suspicious activity reporting is enabled and associates are trained to submit. @@ -807,7 +807,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Okta Suspicious Activity Reported - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -833,7 +833,7 @@ description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splu * Retrieves policy evaluation events from successful authentication events. \ * Aggregates/Groups by Device Token and User, providing the first policy evaluation event in the search window. \ * Evaluates whether there is more than one IP and whether there is more than one OS or browser for each combination of User/Device Token. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1539"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1539"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic looks for one or more policy evaluation events in which multiple client values (IP, User Agent, etc.) change associated to the same Device Token for a specific user. A detection opportunity arises when an adversary attempts to reuse a stolen web session cookie. \ * Retrieves policy evaluation events from successful authentication events. \ @@ -854,7 +854,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Okta Suspicious Use of a Session Cookie - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "mitre_attack": ["T1539"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1539"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -871,7 +871,7 @@ search = `okta` eventType IN (policy.evaluate_sign_on) outcome.result IN (ALLOW, action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic utilizes Okta's ThreatInsight to identify "Login failures with high unknown users count" and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.001", "T1110.004"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1110.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes Okta's ThreatInsight to identify "Login failures with high unknown users count" and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted. action.escu.how_to_implement = This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment. @@ -894,7 +894,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Okta ThreatInsight Login Failure with High Unknown users - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "mitre_attack": ["T1078", "T1078.001", "T1110.004"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1110.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -917,7 +917,7 @@ search = `okta` eventType="security.threat.detected" AND outcome.reason="Login f action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic utilizes Okta's ThreatInsight to identify "PasswordSpray" and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.001", "T1110.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1110.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes Okta's ThreatInsight to identify "PasswordSpray" and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted. action.escu.how_to_implement = This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment. @@ -940,7 +940,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Okta ThreatInsight Suspected PasswordSpray Attack - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "mitre_attack": ["T1078", "T1078.001", "T1110.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001", "T1110.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -963,7 +963,7 @@ search = `okta` eventType="security.threat.detected" AND outcome.reason="Passwor action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following anomaly relies on the Okta ThreatInsight identification of a threat. Use this to drive risk up by src_ip or add additional fields to track. Identification may include password spraying, login failures and Login failures with high unknown users count. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following anomaly relies on the Okta ThreatInsight identification of a threat. Use this to drive risk up by src_ip or add additional fields to track. Identification may include password spraying, login failures and Login failures with high unknown users count. action.escu.how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. @@ -978,7 +978,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Okta Activity"] action.risk = 1 action.risk.param._risk_message = The following $src_ip$ has been conisidered a threat by Okta ThreatInsight. -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 25}] +action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -986,7 +986,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Okta ThreatInsight Threat Detected - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -1003,7 +1003,7 @@ search = `okta` eventType IN (security.threat.detected, security.internal.threat action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies an account that has rejected more than 2 Push notifications in a 10 minute window. Modify this query for your environment by upping the count or time window. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1110"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an account that has rejected more than 2 Push notifications in a 10 minute window. Modify this query for your environment by upping the count or time window. action.escu.how_to_implement = This analytic is specific to Okta and requires Okta logs to be ingested. @@ -1018,7 +1018,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Okta Activity", "Okta MFA Exhaustion"] action.risk = 1 action.risk.param._risk_message = $user$ account has rejected multiple Okta pushes. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -1026,7 +1026,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Okta Two or More Rejected Okta Pushes - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity", "Okta MFA Exhaustion"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1110"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity", "Okta MFA Exhaustion"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -1049,7 +1049,7 @@ search = `okta` outcome.reason="User rejected Okta push verify" OR (debugContext action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search detects logins from the same user from different cities in a 24 hour period. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search detects logins from the same user from different cities in a 24 hour period. action.escu.how_to_implement = This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment. @@ -1072,7 +1072,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Okta User Logins From Multiple Cities - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Okta Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -1089,7 +1089,7 @@ search = `okta` displayMessage="User login to Okta" client.geographicalContext.c action.escu = 0 action.escu.enabled = 1 description = On May 3rd, 2022, Splunk published a security advisory for a Path traversal in search parameter that can potentiall allow SPL injection. An attacker can cause the application to load data from incorrect endpoints, urls leading to outcomes such as running arbitrary SPL queries. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1083"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = On May 3rd, 2022, Splunk published a security advisory for a Path traversal in search parameter that can potentiall allow SPL injection. An attacker can cause the application to load data from incorrect endpoints, urls leading to outcomes such as running arbitrary SPL queries. action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This search will provide search UI requests with path traversal parameter ("../../../../../../../../../") which shows exploitation attempts. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests. @@ -1104,7 +1104,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = Path traversal exploitation attempt from $clientip$ -action.risk.param._risk = [{"risk_object_field": "clientip", "risk_object_type": "system", "risk_score": 40}] +action.risk.param._risk = [{"risk_object_field": "clientip", "risk_object_type": "other", "risk_score": 40}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -1112,7 +1112,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Path traversal SPL injection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-26889"], "impact": 50, "mitre_attack": ["T1083"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-26889"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -1135,7 +1135,7 @@ search = `path_traversal_spl_injection` | search "\/..\/..\/..\/..\/..\/..\/..\ action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies variations in the authentication event IP address versus the verification response event IP address to identify suspicious sign-in behavior. Currently this detection is configured to identify when the originating country of an authentication request is different than the verification country. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies variations in the authentication event IP address versus the verification response event IP address to identify suspicious sign-in behavior. Currently this detection is configured to identify when the originating country of an authentication request is different than the verification country. action.escu.how_to_implement = Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. @@ -1150,7 +1150,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Compromised User Account"] action.risk = 1 action.risk.param._risk_message = An authentication by [$user$] was detected from [$dest$ - $auth_Country$] and the verification was received from [$src$ - $verify_Country$]. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 25}, {"threat_object_field": "object", "threat_object_type": "other"}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "object", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -1158,7 +1158,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PingID Mismatch Auth Source and Verification Response - Rule -action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -1181,7 +1181,7 @@ search = `pingid` ("result.status" IN ("SUCCESS*","FAIL*","UNSUCCESSFUL*") NOT " action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies multiple failed multi-factor authentication requests for a single user within a PingID (PingOne) environment. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 10 minutes. PingID environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1621", "T1078", "T1110"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1621", "T1078", "T1110"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies multiple failed multi-factor authentication requests for a single user within a PingID (PingOne) environment. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 10 minutes. PingID environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. action.escu.how_to_implement = Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. @@ -1204,7 +1204,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PingID Multiple Failed MFA Requests For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "mitre_attack": ["T1621", "T1078", "T1110"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1621", "T1078", "T1110"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -1227,7 +1227,7 @@ search = `pingid` "result.status" IN ("FAILURE,authFail","UNSUCCESSFUL_ATTEMPT") action.escu = 0 action.escu.enabled = 1 description = A common social engineering technique used by threat actors is the impersonation of a valid user to organizational support staff for a password reset. During the same support call or quickly afterwards the threat actor will request provisioning of a new MFA device. This does not require malware or phishing infrastructure and has proven to be successful in numerous historical attacks. This detection looks for the pattern of password reset, followed by MFA device provisioning. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] action.escu.eli5 = A common social engineering technique used by threat actors is the impersonation of a valid user to organizational support staff for a password reset. During the same support call or quickly afterwards the threat actor will request provisioning of a new MFA device. This does not require malware or phishing infrastructure and has proven to be successful in numerous historical attacks. This detection looks for the pattern of password reset, followed by MFA device provisioning. action.escu.how_to_implement = Target environment must ingest Windows Event Log and PingID(PingOne) data sources. Specifically from logs from Active Directory Domain Controllers and JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. @@ -1242,7 +1242,7 @@ action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Compromised User Account"] action.risk = 1 action.risk.param._risk_message = An MFA configuration change was detected for [$user$] within [$timeDiff$] of a password reset. The device [$object$] was $action$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 50}, {"threat_object_field": "object", "threat_object_type": "other"}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 50}, {"risk_object_field": "object", "risk_object_type": "other", "risk_score": 50}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -1250,7 +1250,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PingID New MFA Method After Credential Reset - Rule -action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -1273,7 +1273,7 @@ search = `pingid` "result.message" = "*Device Paired*" | rex field=result.messag action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the registration of a new Multi Factor authentication method for a PingID (PingOne) account. Adversaries who have obtained unauthorized access to a user account may register a new MFA method to maintain persistence. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the registration of a new Multi Factor authentication method for a PingID (PingOne) account. Adversaries who have obtained unauthorized access to a user account may register a new MFA method to maintain persistence. action.escu.how_to_implement = Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription. @@ -1288,7 +1288,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Compromised User Account"] action.risk = 1 action.risk.param._risk_message = An MFA configuration change was detected for [$user$], the device [$object$] was $action$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 10}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 10}, {"threat_object_field": "object", "threat_object_type": "other"}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 10}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 10}, {"risk_object_field": "object", "risk_object_type": "other", "risk_score": 10}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -1296,7 +1296,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PingID New MFA Method Registered For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1621", "T1556.006", "T1098.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -1319,7 +1319,7 @@ search = `pingid` "result.message"="Device Paired*" result.status="SUCCESS" | action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1083"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk. action.escu.how_to_implement = Must have access to internal indexes. Only applies to Splunk on Windows versions. @@ -1337,7 +1337,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Absolute Path Traversal Using runshellscript - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2023-40597"], "impact": 50, "mitre_attack": ["T1083"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2023-40597"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -1354,7 +1354,7 @@ search = `splunk_python` *runshellscript* | eval log_split=split(_raw, "runshel action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. Splunk drilldown vulnerability disclosure in Dashboard application that can potentially allow exposure of tokens from privilege users. An attacker can create dashboard and share it to privileged user (admin) and detokenize variables using external urls within dashboards drilldown function. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = Splunk drilldown vulnerability disclosure in Dashboard application that can potentially allow exposure of tokens from privilege users. An attacker can create dashboard and share it to privileged user (admin) and detokenize variables using external urls within dashboards drilldown function. action.escu.how_to_implement = This search uses REST function to query for dashboards with environment variables present in URL options. @@ -1369,7 +1369,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = Potential exposure of environment variables from url embedded in dashboard -action.risk.param._risk = [{"risk_object_field": "author", "risk_object_type": "user", "risk_score": 40}] +action.risk.param._risk = [{"risk_object_field": "author", "risk_object_type": "other", "risk_score": 40}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -1377,7 +1377,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-37438"], "impact": 50, "mitre_attack": ["T1087"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-37438"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -1400,7 +1400,7 @@ search = | rest splunk_server=local /servicesNS/-/-/data/ui/views | search eai:d action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search provides information to investigate possible remote code execution exploitation via user-supplied Extensible Stylesheet Language Transformations (XSLT), affecting Splunk versions 9.1.x. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information to investigate possible remote code execution exploitation via user-supplied Extensible Stylesheet Language Transformations (XSLT), affecting Splunk versions 9.1.x. action.escu.how_to_implement = Because there is no way to detect the payload, this search only provides the ability to monitor the creation of lookups which are the base of this exploit. An operator must then investigate suspicious lookups. This search requires ability to perform REST queries. Note that if the Splunk App for Lookup File Editing is not, or was not, installed in the Splunk environment then it is not necessary to run the search as the enviornment was not vulnerable. @@ -1418,7 +1418,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Splunk App for Lookup File Editing RCE via User XSLT - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 2, "impact": 50, "mitre_attack": ["T1210"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 2, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -1435,7 +1435,7 @@ search = | rest splunk_server=local /services/data/lookup-table-files/ | fields action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This hunting search provides information about a vulnerability in Splunk Enterprise versions below 8.2.9, 8.1.12, 9.0.2, where an authenticated user can execute arbitrary code via the dashboard pdf generation component. Please review events with file=export in the _internal index for the potential targets of exploitation. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This hunting search provides information about a vulnerability in Splunk Enterprise versions below 8.2.9, 8.1.12, 9.0.2, where an authenticated user can execute arbitrary code via the dashboard pdf generation component. Please review events with file=export in the _internal index for the potential targets of exploitation. action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. @@ -1453,7 +1453,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Splunk Code Injection via custom dashboard leading to RCE - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2022-43571"], "impact": 50, "mitre_attack": ["T1210"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2022-43571"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -1470,7 +1470,7 @@ search = `splunkd_ui` uri_path=*/data/ui/views/* OR uri_path=*saved/searches/* | action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of the risky command - Delete - that may be utilized in Splunk to delete some or all data queried for. In order to use Delete in Splunk, one must be assigned the role. This is typically not used and should generate an anomaly if it is used. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Splunk_Audit"] action.escu.eli5 = The following analytic identifies the use of the risky command - Delete - that may be utilized in Splunk to delete some or all data queried for. In order to use Delete in Splunk, one must be assigned the role. This is typically not used and should generate an anomaly if it is used. action.escu.how_to_implement = To successfully implement this search acceleration is recommended against the Search_Activity datamodel that runs against the splunk _audit index. In addition, this analytic requires the Common Information Model App which includes the Splunk Audit Datamodel https://splunkbase.splunk.com/app/1621/. @@ -1493,7 +1493,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 30, "cve": ["CVE-2022-32154"], "impact": 90, "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 30, "cve": ["CVE-2022-32154"], "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -1510,7 +1510,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The Splunk platform contains built-in search processing language (SPL) safeguards to warn you when you are about to unknowingly run a search that contains commands that might be a security risk. This warning appears when you click a link or type a URL that loads a search that contains risky commands. The warning does not appear when you create ad hoc searches. This warning alerts you to the possibility of unauthorized actions by a malicious user. Unauthorized actions include - Copying or transferring data (data exfiltration), Deleting data and Overwriting data. All risky commands may be found here https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga. A possible scenario when this might occur is when a malicious actor creates a search that includes commands that exfiltrate or damage data. The malicious actor then sends an unsuspecting user a link to the search. The URL contains a query string (q) and a search identifier (sid), but the sid is not valid. The malicious actor hopes the user will use the link and the search will run. During analysis, pivot based on user name and filter any user or queries not needed. Queries ran from a dashboard are seen as adhoc queries. When a query runs from a dashboard it will not show in audittrail logs the source dashboard name. The query defaults to adhoc and no Splunk system user activity. In addition, modify this query by removing key commands that generate too much noise, or too little, and create separate queries with higher confidence to alert on. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Splunk_Audit"] action.escu.eli5 = The Splunk platform contains built-in search processing language (SPL) safeguards to warn you when you are about to unknowingly run a search that contains commands that might be a security risk. This warning appears when you click a link or type a URL that loads a search that contains risky commands. The warning does not appear when you create ad hoc searches. This warning alerts you to the possibility of unauthorized actions by a malicious user. Unauthorized actions include - Copying or transferring data (data exfiltration), Deleting data and Overwriting data. All risky commands may be found here https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga. A possible scenario when this might occur is when a malicious actor creates a search that includes commands that exfiltrate or damage data. The malicious actor then sends an unsuspecting user a link to the search. The URL contains a query string (q) and a search identifier (sid), but the sid is not valid. The malicious actor hopes the user will use the link and the search will run. During analysis, pivot based on user name and filter any user or queries not needed. Queries ran from a dashboard are seen as adhoc queries. When a query runs from a dashboard it will not show in audittrail logs the source dashboard name. The query defaults to adhoc and no Splunk system user activity. In addition, modify this query by removing key commands that generate too much noise, or too little, and create separate queries with higher confidence to alert on. action.escu.how_to_implement = To successfully implement this search acceleration is recommended against the Search_Activity datamodel that runs against the splunk _audit index. In addition, this analytic requires the Common Information Model App which includes the Splunk Audit Datamodel https://splunkbase.splunk.com/app/1621/. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. @@ -1528,7 +1528,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 40, "cve": ["CVE-2022-32154"], "impact": 50, "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 40, "cve": ["CVE-2022-32154"], "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -1545,7 +1545,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This detection utilizes machine learning model named "risky_command_abuse" trained from "Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline". It should be scheduled to run hourly to detect whether a user has run searches containing risky SPL from this list https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga with abnormally long running time in the past one hour, comparing with his/her past seven days history. This search uses the trained baseline to infer whether a search is an outlier (isOutlier ~= 1.0) or not (isOutlier~= 0.0) -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Splunk_Audit"] action.escu.eli5 = This detection utilizes machine learning model named "risky_command_abuse" trained from "Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline". It should be scheduled to run hourly to detect whether a user has run searches containing risky SPL from this list https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga with abnormally long running time in the past one hour, comparing with his/her past seven days history. This search uses the trained baseline to infer whether a search is an outlier (isOutlier ~= 1.0) or not (isOutlier~= 0.0) action.escu.how_to_implement = This detection depends on MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and the Splunk Audit datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. Baseline model needs to be built using "Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline" before this search can run. Please note that the current search only finds matches exactly one space between separator bar and risky commands. @@ -1568,7 +1568,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 40, "cve": ["CVE-2022-32154"], "impact": 50, "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 40, "cve": ["CVE-2022-32154"], "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -1585,7 +1585,7 @@ search = | tstats sum(Search_Activity.total_run_time) AS run_time, values(Search action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a cross-site request forgery in the Splunk Secure Gateway (SSG) app in the kvstore_client endpoint allows for updating SSG KV store collections via a GET request. SSG is a Splunk Built app included by default with Splunk Enterprise. The vulnerability affects instances with SSG and Splunk Web enabled. This hunting search provides information on affected server specific method and post data that may reveal exploitation of this vulnerability. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a cross-site request forgery in the Splunk Secure Gateway (SSG) app in the kvstore_client endpoint allows for updating SSG KV store collections via a GET request. SSG is a Splunk Built app included by default with Splunk Enterprise. The vulnerability affects instances with SSG and Splunk Web enabled. This hunting search provides information on affected server specific method and post data that may reveal exploitation of this vulnerability. action.escu.how_to_implement = Requires access to internal index. @@ -1608,7 +1608,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22942"], "impact": 50, "mitre_attack": ["T1189"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22942"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -1631,7 +1631,7 @@ search = `splunkda` uri_path="/en-US/splunkd/__raw/services/ssg/kvstore_client" action.escu = 0 action.escu.enabled = 1 description = This hunting search allows operator to discover attempts to exfiltrate data by executing a prepositioned malicious search ID in Analytic Workspace in Splunk Enterprise versions 8.2.9,8.1.12,9.0.2. The attack is browser-based. It requires the attacker to compel a victim to initiate a request within their browser (phishing). The attacker cannot exploit the vulnerability at will. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1567"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1567"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This hunting search allows operator to discover attempts to exfiltrate data by executing a prepositioned malicious search ID in Analytic Workspace in Splunk Enterprise versions 8.2.9,8.1.12,9.0.2. The attack is browser-based. It requires the attacker to compel a victim to initiate a request within their browser (phishing). The attacker cannot exploit the vulnerability at will. action.escu.how_to_implement = The vulnerability affects only instances with Splunk Web Enabled. After running this search, please run "Splunk Command and Scripting Interpreter Risky SPL MLTK" to gain more insight into potentially risky commands which could lead to data exfiltration. @@ -1649,7 +1649,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2022-43566"], "impact": 50, "mitre_attack": ["T1567"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2022-43566"], "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1567"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -1666,7 +1666,7 @@ search = `audit_searches` info=granted search NOT ("audit_searches") search NOT action.escu = 0 action.escu.enabled = 1 description = This search will check the TLS validation is properly configured on the search head it is run from as well as its search peers after Splunk version 9. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1587.003"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1587.003"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search will check the TLS validation is properly configured on the search head it is run from as well as its search peers after Splunk version 9. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked. action.escu.how_to_implement = The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (the `dispatch_rest_to_indexers` capability) in some architectures. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. @@ -1684,7 +1684,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Digital Certificates Infrastructure Version - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2022-32153"], "impact": 50, "mitre_attack": ["T1587.003"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2022-32153"], "impact": 50, "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1587.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -1701,7 +1701,7 @@ search = | rest /services/server/info | table splunk_server version server_roles action.escu = 0 action.escu.enabled = 1 description = On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. In other circumstances, a client may be allowed to publish a forwarder bundle to other clients, which may allow for arbitrary code execution. The fixes for these require upgrading to at least Splunk 9.0 on the forwarder as well. This is a great opportunity to configure TLS across the environment. This search looks for forwarders that are not using TLS and adds risk to those entities. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1587.003"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1587.003"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. In other circumstances, a client may be allowed to publish a forwarder bundle to other clients, which may allow for arbitrary code execution. The fixes for these require upgrading to at least Splunk 9.0 on the forwarder as well. This is a great opportunity to configure TLS across the environment. This search looks for forwarders that are not using TLS and adds risk to those entities. action.escu.how_to_implement = This anomaly search looks for forwarder connections that are not currently using TLS. It then presents the source IP, the type of forwarder, and the version of the forwarder. You can also remove the "ssl=false" argument from the initial stanza in order to get a full list of all your forwarders that are sending data, and the version of Splunk software they are running, for audit purposes. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. @@ -1724,7 +1724,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Digital Certificates Lack of Encryption - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-32151"], "impact": 25, "mitre_attack": ["T1587.003"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-32151"], "impact": 25, "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1587.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -1741,7 +1741,7 @@ search = `splunkd` group="tcpin_connections" ssl="false" | stats values(sourceIp action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions lower than 9.0.6, and 8.2.12, an attacker can send a malformed security assertion markup language SAML request to the /saml/acs REST endpoint which can cause a denial of service through a crash or hang of the Splunk daemon.The SAML extensible markup language (XML) parser does not fail SAML signature validation when the attacker modifies the URI in the SAML request. Instead it attempts to access the modified URI, which causes the Splunk daemon to crash or hang. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1498"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1498"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions lower than 9.0.6, and 8.2.12, an attacker can send a malformed security assertion markup language SAML request to the /saml/acs REST endpoint which can cause a denial of service through a crash or hang of the Splunk daemon.The SAML extensible markup language (XML) parser does not fail SAML signature validation when the attacker modifies the URI in the SAML request. Instead it attempts to access the modified URI, which causes the Splunk daemon to crash or hang. action.escu.how_to_implement = To run this search, you must have access to the _internal index. @@ -1759,7 +1759,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk DoS Using Malformed SAML Request - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 30, "impact": 50, "mitre_attack": ["T1498"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 30, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1498"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -1776,7 +1776,7 @@ search = `splunkd` event_message=*error* expr=*xpointer* | stats count min(_time action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an attacker can exploit a vulnerability in the dump SPL command to cause a Denial of Service by crashing the Splunk daemon. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1499.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an attacker can exploit a vulnerability in the dump SPL command to cause a Denial of Service by crashing the Splunk daemon. action.escu.how_to_implement = This search does not require additional ingestion of data. Requires the ability to search _internal index and monitor segmentation faults. @@ -1794,7 +1794,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk DOS Via Dump SPL Command - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "mitre_attack": ["T1499.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -1811,7 +1811,7 @@ search = `splunk_crash_log` "*Segmentation fault*" | stats count by host _time | action.escu = 0 action.escu.enabled = 1 description = On March 24th, 2022, Splunk published a security advisory for a possible Denial of Service stemming from the lack of validation in a specific key-value field in the Splunk-to-Splunk (S2S) protocol. This detection will alert on attempted exploitation in patched versions of Splunk. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1498"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1498"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = On March 24th, 2022, Splunk published a security advisory for a possible Denial of Service stemming from the lack of validation in a specific key-value field in the Splunk-to-Splunk (S2S) protocol. This detection will alert on attempted exploitation in patched versions of Splunk. action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will only find attempted exploitation on versions of Splunk already patched for CVE-2021-3422. @@ -1826,7 +1826,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = An attempt to exploit CVE-2021-3422 was detected from $src$ against $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 50}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 50}] +action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 50}, {"risk_object_field": "src", "risk_object_type": "other", "risk_score": 50}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -1834,7 +1834,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk DoS via Malformed S2S Request - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-3422"], "impact": 50, "mitre_attack": ["T1498"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-3422"], "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1498"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -1857,7 +1857,7 @@ search = `splunkd` log_level="ERROR" component="TcpInputProc" thread_name="FwdDa action.escu = 0 action.escu.enabled = 1 description = This hunting search provides information on detecting a vulnerability In Splunk Enterprise versions lower than 8.1.14, 8.2.12, 9.0.6, and 9.1.1, an attacker can use the printf SPL function to perform a denial of service against the Splunk Enterprise instance. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1499.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This hunting search provides information on detecting a vulnerability In Splunk Enterprise versions lower than 8.1.14, 8.2.12, 9.0.6, and 9.1.1, an attacker can use the printf SPL function to perform a denial of service against the Splunk Enterprise instance. action.escu.how_to_implement = This search requires the ability to search internal indexes. @@ -1875,7 +1875,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk DOS via printf search function - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2023-40594"], "impact": 100, "mitre_attack": ["T1499.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2023-40594"], "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -1892,7 +1892,7 @@ search = `audit_searches` "*makeresults * eval * fieldformat *printf*" user!="sp action.escu = 0 action.escu.enabled = 1 description = A low-privilege user who holds a role that has the edit_user capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = A low-privilege user who holds a role that has the edit_user capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests. action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover abuse of edit_user privilege. @@ -1910,7 +1910,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Edit User Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2023-32707"], "impact": 80, "mitre_attack": ["T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2023-32707"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -1927,7 +1927,7 @@ search = `audittrail` action IN ("change_own_password","password_change","edit_p action.escu = 0 action.escu.enabled = 1 description = This search allows operator to identify Splunk search app crashes resulting from specially crafted ZIP file using file monitoring that affects UF versions 8.1.11 and 8.2 versions below 8.2.7.1. It is not possible to detect Zip Bomb attack before crash. This search will provide Universal Forwarder errors from uploaded binary files (zip compression) which are used for this attack. If an analyst sees results from this search we suggest you investigate and triage what zip file was uploaded, zip compressed files may have different extensions. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search allows operator to identify Splunk search app crashes resulting from specially crafted ZIP file using file monitoring that affects UF versions 8.1.11 and 8.2 versions below 8.2.7.1. It is not possible to detect Zip Bomb attack before crash. This search will provide Universal Forwarder errors from uploaded binary files (zip compression) which are used for this attack. If an analyst sees results from this search we suggest you investigate and triage what zip file was uploaded, zip compressed files may have different extensions. action.escu.how_to_implement = Need to monitor Splunkd data from Universal Forwarders. @@ -1950,7 +1950,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 75, "cve": ["CVE-2022-37439"], "impact": 100, "mitre_attack": ["T1499"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 75, "cve": ["CVE-2022-37439"], "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -1973,7 +1973,7 @@ search = `splunkd` component=FileClassifierManager event_message=*invalid* event action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store KV Store improperly handles permissions for users using the REST application programming interface (API). This can potentially result in the deletion of KV Store collections. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store KV Store improperly handles permissions for users using the REST application programming interface (API). This can potentially result in the deletion of KV Store collections. action.escu.how_to_implement = Requires access to internal indexes and REST API enabled instances. @@ -1991,7 +1991,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Enterprise KV Store Incorrect Authorization - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2024-23675"], "impact": 50, "mitre_attack": ["T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2024-23675"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -2008,7 +2008,7 @@ search = `splunkda` uri=/servicesNS/nobody/search/admin/collections-conf/_reload action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splunk Enterprise does not correctly sanitize path input data resulting in the unsafe deserialization of untrusted data. This vulnerability only affects Splunk Enterprise for Windows. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splunk Enterprise does not correctly sanitize path input data resulting in the unsafe deserialization of untrusted data. This vulnerability only affects Splunk Enterprise for Windows. action.escu.how_to_implement = Requires access to internal indexes. This detection search will display irregular path file execution, which will display exploit attempts. Only applies to Microsoft Windows Splunk versions. @@ -2031,7 +2031,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Enterprise Windows Deserialization File Partition - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2024-23678"], "impact": 100, "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2024-23678"], "impact": 100, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -2054,7 +2054,7 @@ search = `splunk_python` request_path="/en-US/app/search/C:\\Program" *strings* action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted. action.escu.how_to_implement = This search requires access to internal indexes. Only affects Splunk Enterprise Security versions lower than 7.1.2. @@ -2069,7 +2069,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = Denial of Service Attack against Splunk ES Investigation Manager by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 100}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -2077,7 +2077,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk ES DoS Investigations Manager via Investigation Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2024-22165"], "impact": 100, "mitre_attack": ["T1499"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2024-22165"], "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -2100,7 +2100,7 @@ search = `splunkd_investigation_rest_handler` method=put msg=*investigation* sta action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the Investigation. The attachment endpoint does not properly limit the size of the request which lets an attacker cause the Investigation to become inaccessible. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the Investigation. The attachment endpoint does not properly limit the size of the request which lets an attacker cause the Investigation to become inaccessible. action.escu.how_to_implement = This search requires access to internal indexes, only affects Enterprise Security versions below 7.1.2. @@ -2123,7 +2123,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk ES DoS Through Investigation Attachments - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2024-22164"], "impact": 100, "mitre_attack": ["T1499"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2024-22164"], "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -2146,7 +2146,7 @@ search = `splunkd_investigation_rest_handler` status=error object=investigation action.escu = 0 action.escu.enabled = 1 description = A low-privileged user, using a specially crafted search command, can trigger an HTTP response splitting vulnerability with the rest SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including accessing restricted content such as password files. This is because the user is able to inject the rest SPL command into the q parameter of an HTTP GET web request. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1027.006"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027.006"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = A low-privileged user, using a specially crafted search command, can trigger an HTTP response splitting vulnerability with the rest SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including accessing restricted content such as password files. This is because the user is able to inject the rest SPL command into the q parameter of an HTTP GET web request. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will. action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This search may assist in detecting possible http response splitting exploitation attemptss. @@ -2164,7 +2164,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1027.006"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027.006"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -2181,7 +2181,7 @@ search = `audit_searches` AND search IN ("*|*rest*POST*","*|*rest*PUT*","*|*rest action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, when the INGEST\\_EVAL parameter is improperly formatted, it crashes splunkd. This hunting search provides the user, timing and number of times the crashing command was executed. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} action.escu.data_models = ["Splunk_Audit"] action.escu.eli5 = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, when the INGEST\\_EVAL parameter is improperly formatted, it crashes splunkd. This hunting search provides the user, timing and number of times the crashing command was executed. action.escu.how_to_implement = Requires access to audittrail and use of Splunk_Audit.Search_Activity datamodel. @@ -2196,7 +2196,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = An attempt to exploit ingest eval parameter was detected from $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 100}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -2204,7 +2204,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Splunk Improperly Formatted Parameter Crashes splunkd - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2023-22941"], "impact": 100, "mitre_attack": ["T1499"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2023-22941"], "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -2227,7 +2227,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = In Splunk Add-on Builder versions below 4.1.4, the application writes sensitive information to its internal log files when you visit the Splunk Add-on Builder or when you build or edit a custom app or add-on. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1082"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Add-on Builder versions below 4.1.4, the application writes sensitive information to its internal log files when you visit the Splunk Add-on Builder or when you build or edit a custom app or add-on. action.escu.how_to_implement = This search should be run on search heads where Splunk Add-on Builder may be installed. The results of this search will conclusively show whether or not a vulnerable version of Splunk Add-on Builder is currently installed. @@ -2245,7 +2245,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Information Disclosure in Splunk Add-on Builder - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "mitre_attack": ["T1082"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -2262,7 +2262,7 @@ search = | rest /services/apps/local | search disabled=0 core=0 label="Splunk Ad action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search will enumerate all Splunk Accounts with administrative rights on this instance. It deliberately ignores the default admin account since this is assumed to be present. This search may help in a detection the Cross-Site Scripting Attack listed: In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the 'layoutPanel' attribute in the 'module' tag. The vulnerability affects instances with Splunk Web enabled. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search will enumerate all Splunk Accounts with administrative rights on this instance. It deliberately ignores the default admin account since this is assumed to be present. This search may help in a detection the Cross-Site Scripting Attack listed: In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the 'layoutPanel' attribute in the 'module' tag. The vulnerability affects instances with Splunk Web enabled. action.escu.how_to_implement = The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (the `dispatch_rest_to_indexers` capability) in some architectures. If there have been admin account, in addition to the standard admin account, intentionally created on this server, then edit the filter macro to exclude them. @@ -2280,7 +2280,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Splunk list all nonstandard admin accounts - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22933"], "impact": 50, "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22933"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -2297,7 +2297,7 @@ search = | rest splunk_server=local /services/authentication/users |search capab action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user who holds the user role can see the hashed version of the initial user name and password for the Splunk instance by using the rest SPL command against the conf-user-seed REST endpoint. This can lead to a privilege escalation that lets the user take over the admin account on the instance. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1212"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user who holds the user role can see the hashed version of the initial user name and password for the Splunk instance by using the rest SPL command against the conf-user-seed REST endpoint. This can lead to a privilege escalation that lets the user take over the admin account on the instance. action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover attempts to access con-user-seed file content. @@ -2315,7 +2315,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "mitre_attack": ["T1212"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -2332,7 +2332,7 @@ search = `splunkd_web` uri="*/servicesNS/nobody/system/configs/conf-user-seed*" action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user with access to the Splunk App for Lookup File Editing can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory, including but not limited to the password hash file for the instance. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1083"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user with access to the Splunk App for Lookup File Editing can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory, including but not limited to the password hash file for the instance. action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests. @@ -2350,7 +2350,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "mitre_attack": ["T1083"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -2367,7 +2367,7 @@ search = `splunkda` uri_query=*lookup_file* | table clientip uri_query lookup_fi action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions below 9.0. This search provides information on what user may have potentially added a malicious payload and what users were exposed to it. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions below 9.0. This search provides information on what user may have potentially added a malicious payload and what users were exposed to it. action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index @@ -2390,7 +2390,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22932"], "impact": 50, "mitre_attack": ["T1189"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22932"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -2413,7 +2413,7 @@ search = `audit_searches` path=/opt/splunk/etc/users/*/search/local/data/ui/view action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions below 9.0.4, 8.2.10, and 8.1.13, a low-privileged user can bypass URL validation to perform a path traversal and access restricted and confidential information by targeting other users on the instance, including the admin user. The only affected version of bootstrap which shipped with Splunk was version 2.3.1, so the search is targeted at that version alone. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions below 9.0.4, 8.2.10, and 8.1.13, a low-privileged user can bypass URL validation to perform a path traversal and access restricted and confidential information by targeting other users on the instance, including the admin user. The only affected version of bootstrap which shipped with Splunk was version 2.3.1, so the search is targeted at that version alone. action.escu.how_to_implement = This search does not require additional data to be ingested. This search requires ability to search _internal index. This search helps discover access to vulnerable bootstrap versions. @@ -2431,7 +2431,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 20, "cve": ["CVE-2019-8331"], "impact": 80, "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 20, "cve": ["CVE-2019-8331"], "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -2448,7 +2448,7 @@ search = `splunkd_web` method=GET uri_path="*bootstrap-2.3.1*" file="*.js" | tab action.escu = 0 action.escu.enabled = 1 description = On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. This hunting search pulls a full list of forwarder bundle downloads where the peer column is the forwarder, the host column is the Deployment Server, and then you have a list of the apps downloaded and the serverclasses in which the peer is a member of. You should look for apps or clients that you do not recognize as being part of your environment. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. This hunting search pulls a full list of forwarder bundle downloads where the peer column is the forwarder, the host column is the Deployment Server, and then you have a list of the apps downloaded and the serverclasses in which the peer is a member of. You should look for apps or clients that you do not recognize as being part of your environment. action.escu.how_to_implement = This hunting search uses native logs produced when a deployment server is within your environment. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. @@ -2466,7 +2466,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2022-32157"], "impact": 50, "mitre_attack": ["T1055"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2022-32157"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -2483,7 +2483,7 @@ search = `splunkd` component="PackageDownloadRestHandler" | stats values(app) va action.escu = 0 action.escu.enabled = 1 description = On June 14th, 2022, Splunk released a security advisory relating to TLS validation occuring within the httplib and urllib python libraries shipped with Splunk. In addition to upgrading to Splunk Enterprise 9.0 or later, several configuration settings need to be set. This search will check those configurations on the search head it is run from as well as its search peers. In addition to these settings, the PYTHONHTTPSVERIFY setting in $SPLUNK_HOME/etc/splunk-launch.conf needs to be enabled as well. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1001.003"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1001.003"], "nist": ["DE.AE"]} action.escu.data_models = ["Web"] action.escu.eli5 = On June 14th, 2022, Splunk released a security advisory relating to TLS validation occuring within the httplib and urllib python libraries shipped with Splunk. In addition to upgrading to Splunk Enterprise 9.0 or later, several configuration settings need to be set. This search will check those configurations on the search head it is run from as well as its search peers. In addition to these settings, the PYTHONHTTPSVERIFY setting in $SPLUNK_HOME/etc/splunk-launch.conf needs to be enabled as well. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked. action.escu.how_to_implement = The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (The `dispatch_rest_to_indexers` capability). Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. @@ -2501,7 +2501,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2022-32151"], "impact": 50, "mitre_attack": ["T1001.003"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2022-32151"], "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1001.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -2518,7 +2518,7 @@ search = | rest /services/server/info | table splunk_server version server_roles action.escu = 0 action.escu.enabled = 1 description = On June 14th 2022, Splunk released vulnerability advisory addresing Python TLS validation which was not set before Splunk version 9. This search displays events showing WARNING of using Splunk issued default selfsigned certificates. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1588.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = On June 14th 2022, Splunk released vulnerability advisory addresing Python TLS validation which was not set before Splunk version 9. This search displays events showing WARNING of using Splunk issued default selfsigned certificates. action.escu.how_to_implement = Must upgrade to Splunk version 9 and Configure TLS in order to apply this search. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. @@ -2536,7 +2536,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-32152"], "impact": 50, "mitre_attack": ["T1588.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-32152"], "impact": 50, "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -2553,7 +2553,7 @@ search = `splunkd` certificate event_message="X509 certificate* should not be us action.escu = 0 action.escu.enabled = 1 description = On Splunk version 9 on Python3 client libraries verify server certificates by default and use CA certificate store. This search warns a user about a failure to validate a certificate using python3 request. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1588.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = On Splunk version 9 on Python3 client libraries verify server certificates by default and use CA certificate store. This search warns a user about a failure to validate a certificate using python3 request. action.escu.how_to_implement = Must upgrade to Splunk version 9 and Configure TLS host name validation for Splunk Python modules in order to apply this search. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as "curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json". A user should then create an empty container or case, attach the workbook, and begin working through the tasks. @@ -2571,7 +2571,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-32152"], "impact": 50, "mitre_attack": ["T1588.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-32152"], "impact": 50, "kill_chain_phases": ["Weaponization"], "mitre_attack": ["T1588.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -2588,7 +2588,7 @@ search = `splunk_python` "simpleRequest SSL certificate validation is enabled wi action.escu = 0 action.escu.enabled = 1 description = An unauthorized user can use the /services/indexing/preview REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1134"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = An unauthorized user can use the /services/indexing/preview REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job. action.escu.how_to_implement = This search does not require additional data ingestion. It requires the ability to search _internal index. @@ -2606,7 +2606,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1134"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -2623,7 +2623,7 @@ search = `splunkda` method="POST" uri="*/services/indexing/preview*" | table hos action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code. The exploit requires the use of the 'collect' SPL command which writes a file within the Splunk Enterprise installation. The attacker can then use this file to submit a serialized payload that can result in execution of code within the payload. Please refer to the following URL for additional information on these disclosures - https://advisory.splunk.com -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code. The exploit requires the use of the 'collect' SPL command which writes a file within the Splunk Enterprise installation. The attacker can then use this file to submit a serialized payload that can result in execution of code within the payload. Please refer to the following URL for additional information on these disclosures - https://advisory.splunk.com action.escu.how_to_implement = Requires access to the _audit index. @@ -2641,7 +2641,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk RCE via Serialized Session Payload - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-40595"], "impact": 50, "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-40595"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -2658,7 +2658,7 @@ search = `audit_searches` file=* (search="*makeresults*" AND search="*collect*") action.escu = 0 action.escu.enabled = 1 description = This hunting search provides information on possible exploitation attempts against Splunk Secure Gateway App Mobile Alerts feature in Splunk versions 9.0, 8.2.x, 8.1.x. An authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This hunting search provides information on possible exploitation attempts against Splunk Secure Gateway App Mobile Alerts feature in Splunk versions 9.0, 8.2.x, 8.1.x. An authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app. action.escu.how_to_implement = This search only applies if Splunk Mobile Gateway is deployed in the vulnerable Splunk versions. @@ -2676,7 +2676,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2022-43567"], "impact": 90, "mitre_attack": ["T1210"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2022-43567"], "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -2693,7 +2693,7 @@ search = `splunkda` uri_path="/servicesNS/nobody/splunk_secure_gateway/storage/c action.escu = 0 action.escu.enabled = 1 description = This search provides information to investigate possible remote code execution exploitation via user-supplied Extensible Stylesheet Language Transformations (XSLT), affecting Splunk versions 9.1.x. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information to investigate possible remote code execution exploitation via user-supplied Extensible Stylesheet Language Transformations (XSLT), affecting Splunk versions 9.1.x. action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. @@ -2711,7 +2711,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk RCE via User XSLT - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1210"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -2728,7 +2728,7 @@ search = `splunkd_ui` ((uri="*NO_BINARY_CHECK=1*" AND "*input.path=*.xsl*") OR u action.escu = 0 action.escu.enabled = 1 description = Splunk versions below 8.1.12,8.2.9 and 9.0.2 are vulnerable to reflected cross site scripting (XSS). A View allows for a Reflected Cross Site scripting via JavaScript Object Notation (JSON) in a query parameter when ouput_mode=radio. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = Splunk versions below 8.1.12,8.2.9 and 9.0.2 are vulnerable to reflected cross site scripting (XSS). A View allows for a Reflected Cross Site scripting via JavaScript Object Notation (JSON) in a query parameter when ouput_mode=radio. action.escu.how_to_implement = This vulnerability only affects instances with Splunk Web enabled. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. @@ -2746,7 +2746,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Reflected XSS in the templates lists radio - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2022-43568"], "impact": 50, "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2022-43568"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -2763,7 +2763,7 @@ search = `splunkd_webx` user=admin status=200 uri=*/lists/entities/x/ui/views* u action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting XSS on the app search table web endpoint, which presents as the Create Table View page in Splunk Web. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance. A JavaScript file within this web endpoint does not properly validate input which lets an attacker insert a payload into a function. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting XSS on the app search table web endpoint, which presents as the Create Table View page in Splunk Web. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance. A JavaScript file within this web endpoint does not properly validate input which lets an attacker insert a payload into a function. action.escu.how_to_implement = Need access to the internal indexes. @@ -2781,7 +2781,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Reflected XSS on App Search Table Endpoint - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -2798,7 +2798,7 @@ search = `splunkd_web` (dataset_commands="*makeresults*" AND dataset_commands="* action.escu = 0 action.escu.enabled = 1 description = This search looks for a variety of high-risk commands throughout a number of different Splunk Vulnerability Disclosures. Please refer to the following URL for additional information on these disclosures - https://advisory.splunk.com -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548", "T1202"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548", "T1202"], "nist": ["DE.AE"]} action.escu.data_models = ["Splunk_Audit"] action.escu.eli5 = This search looks for a variety of high-risk commands throughout a number of different Splunk Vulnerability Disclosures. Please refer to the following URL for additional information on these disclosures - https://advisory.splunk.com action.escu.how_to_implement = Requires implementation of Splunk_Audit.Search_Activity datamodel. @@ -2816,7 +2816,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22931", "CVE-2023-22934", "CVE-2023-22935", "CVE-2023-22936", "CVE-2023-22939", "CVE-2023-22940", "CVE-2023-40598", "CVE-2023-40598", "CVE-2023-46214", "CVE-2024-23676"], "impact": 50, "mitre_attack": ["T1548", "T1202"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22931", "CVE-2023-22934", "CVE-2023-22935", "CVE-2023-22936", "CVE-2023-22939", "CVE-2023-22940", "CVE-2023-40598", "CVE-2023-40598", "CVE-2023-46214", "CVE-2024-23676"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548", "T1202"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -2833,7 +2833,7 @@ search = | tstats fillnull_value="N/A" count min(_time) as firstTime max(_time) action.escu = 0 action.escu.enabled = 1 description = Splunk Enterprise versions 8.1.12, 8.2.9, 9.0.2 are vulnerable to persistent cross site scripting via Data Model object name. An authenticated user can inject and store arbitrary scripts that can lead to persistent cross-site scripting (XSS) in the object name Data Model. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = Splunk Enterprise versions 8.1.12, 8.2.9, 9.0.2 are vulnerable to persistent cross site scripting via Data Model object name. An authenticated user can inject and store arbitrary scripts that can lead to persistent cross-site scripting (XSS) in the object name Data Model. action.escu.how_to_implement = This vulnerability only affects Splunk Web enabled instances. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. @@ -2851,7 +2851,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Stored XSS via Data Model objectName field - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2022-43569"], "impact": 50, "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2022-43569"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -2868,7 +2868,7 @@ search = `splunkd_webx` uri=/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel action.escu = 0 action.escu.enabled = 1 description = An attacker can use a specially crafted web URL in their browser to cause log file injection, in which the attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes. The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to successfully execute. This following analytic detects potential log injection attempts into the Splunk server. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = An attacker can use a specially crafted web URL in their browser to cause log file injection, in which the attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes. The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to successfully execute. This following analytic detects potential log injection attempts into the Splunk server. action.escu.how_to_implement = This only affects web enabled Splunk instances. The detection does require the ability to search the _internal index. @@ -2886,7 +2886,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 30, "cve": ["CVE-2023-32712"], "impact": 30, "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 30, "cve": ["CVE-2023-32712"], "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -2903,7 +2903,7 @@ search = `splunkd_webx` uri_path IN ("*\x1B*", "*\u001b*", "*\033*", "*\0x9*", action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table uploads let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now only be one of .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gz. This search provides user activity focus on uploads which aims to help hunt for malicious file uploads. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table uploads let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now only be one of .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gz. This search provides user activity focus on uploads which aims to help hunt for malicious file uploads. action.escu.how_to_implement = Requires access to internal splunkd_access. @@ -2926,7 +2926,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22937"], "impact": 50, "mitre_attack": ["T1189"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22937"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -2949,7 +2949,7 @@ search = `splunkda` method IN ("POST", "DELETE") uri_path=/servicesNS/*/ui/views action.escu = 0 action.escu.enabled = 1 description = On May 3rd, 2022, Splunk published a security advisory for username enumeration stemming from verbose login failure messages present on some REST endpoints. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = On May 3rd, 2022, Splunk published a security advisory for username enumeration stemming from verbose login failure messages present on some REST endpoints. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk. action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to find password spraying or brute force authorization attempts in addition to someone enumerating usernames. @@ -2964,7 +2964,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Splunk Vulnerabilities"] action.risk = 1 action.risk.param._risk_message = $TotalFailedAuths$ failed authentication events to Splunk from $src$ detected. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 40}] +action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "other", "risk_score": 40}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -2972,7 +2972,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk User Enumeration Attempt - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2021-33845"], "impact": 50, "mitre_attack": ["T1078"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2021-33845"], "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -2995,7 +2995,7 @@ search = `splunkd_failed_auths` | stats count(user) as auths by user, src | whe action.escu = 0 action.escu.enabled = 1 description = This detection provides information about possible exploitation against affected versions of Splunk Enterprise 9.1.2. The ability to view JSON logs in the web GUI may be abused by crafting a specific request, causing the execution of javascript in script tags. This vulnerability can be used to execute javascript to access the API at the permission level of the logged-in user. If user is admin it can be used to create an admin user, giving an attacker broad access to the Splunk Environment. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection provides information about possible exploitation against affected versions of Splunk Enterprise 9.1.2. The ability to view JSON logs in the web GUI may be abused by crafting a specific request, causing the execution of javascript in script tags. This vulnerability can be used to execute javascript to access the API at the permission level of the logged-in user. If user is admin it can be used to create an admin user, giving an attacker broad access to the Splunk Environment. action.escu.how_to_implement = This search only applies to web-GUI-enabled Splunk instances and operator must have access to internal indexes. @@ -3013,7 +3013,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk XSS in Highlighted JSON Events - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -3030,7 +3030,7 @@ search = `splunkd_ui` "/en-US/splunkd/__raw/servicesNS/nobody/search/authenticat action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. On May 3rd, 2022, Splunk published a security advisory for a reflective Cross-Site Scripting (XSS) vulnerability stemming from the lack of input validation in the Distributed Monitoring Console app. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = On May 3rd, 2022, Splunk published a security advisory for a reflective Cross-Site Scripting (XSS) vulnerability stemming from the lack of input validation in the Distributed Monitoring Console app. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk. action.escu.how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will find attempted exploitation of CVE-2022-27183. @@ -3053,7 +3053,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Splunk XSS in Monitoring Console - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-27183"], "impact": 50, "mitre_attack": ["T1189"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2022-27183"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -3076,7 +3076,7 @@ search = `splunkd_web` method="GET" uri_query="description=%3C*" | table _time action.escu = 0 action.escu.enabled = 1 description = This is a hunting search to find persistent cross-site scripting XSS code that was included while inputing data in 'Save Table' dialog in Splunk Enterprise (8.1.12,8.2.9,9.0.2). A remote user with "power" Splunk role can store this code that can lead to persistent cross site scripting. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This is a hunting search to find persistent cross-site scripting XSS code that was included while inputing data in 'Save Table' dialog in Splunk Enterprise (8.1.12,8.2.9,9.0.2). A remote user with "power" Splunk role can store this code that can lead to persistent cross site scripting. action.escu.how_to_implement = Watch for POST requests combined with XSS script strings or obfuscation against the injection point /en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model. @@ -3094,7 +3094,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk XSS in Save table dialog header in search page - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2022-43561"], "impact": 50, "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2022-43561"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -3111,7 +3111,7 @@ search = `splunkd_webx` method=POST uri=/en-US/splunkd/__raw/servicesNS/nobody/ action.escu = 0 action.escu.enabled = 1 description = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the 'layoutPanel' attribute in the 'module' tag. The vulnerability affects instances with Splunk Web enabled. This hunting search shows users action, application and role used for creating views related to this vulnerability. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the 'layoutPanel' attribute in the 'module' tag. The vulnerability affects instances with Splunk Web enabled. This hunting search shows users action, application and role used for creating views related to this vulnerability. action.escu.how_to_implement = This data is collected by default in Splunk. Upon first enabling this rule, a number of errors may be observed. Those that are due to improperly formatted, but non-nefarious, XML views should be be remedied in the corresponding view. Please take care investigating potential XSS as accessing an affected page could retrigger the exploit. @@ -3129,7 +3129,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Splunk XSS via View - Rule -action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22933"], "impact": 50, "mitre_attack": ["T1189"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-22933"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -3146,7 +3146,7 @@ search = index = _internal sourcetype IN ("splunk_web_service", "splunk_python") action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects emails that contain attachments with suspicious file extensions. Detecting and responding to emails with suspicious attachments can mitigate the risks associated with phishing and malware attacks, thereby protecting the organization's data and systems from potential harm. The detection is made by using a Splunk query that searches for emails in the datamodel=Email where the filename of the attachment is not empty. The analytic uses the tstats command to summarize the count, first time, and last time of the emails that meet the criteria. It groups the results by the source user, file name, and message ID of the email. The detection is important because it indicates potential phishing or malware delivery attempts in which an attacker attempts to deliver malicious content through email attachments, which can lead to data breaches, malware infections, or unauthorized access to sensitive information. Next steps include reviewing the identified emails and attachments and analyzing the source user, file name, and message ID to determine if they are legitimate or malicious. Additionally, you must inspect any relevant on-disk artifacts associated with the attachments and investigate any concurrent processes to identify the source of the attack. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} action.escu.data_models = ["Email"] action.escu.eli5 = The following analytic detects emails that contain attachments with suspicious file extensions. Detecting and responding to emails with suspicious attachments can mitigate the risks associated with phishing and malware attacks, thereby protecting the organization's data and systems from potential harm. The detection is made by using a Splunk query that searches for emails in the datamodel=Email where the filename of the attachment is not empty. The analytic uses the tstats command to summarize the count, first time, and last time of the emails that meet the criteria. It groups the results by the source user, file name, and message ID of the email. The detection is important because it indicates potential phishing or malware delivery attempts in which an attacker attempts to deliver malicious content through email attachments, which can lead to data breaches, malware infections, or unauthorized access to sensitive information. Next steps include reviewing the identified emails and attachments and analyzing the source user, file name, and message ID to determine if they are legitimate or malicious. Additionally, you must inspect any relevant on-disk artifacts associated with the attachments and investigate any concurrent processes to identify the source of the attack. action.escu.how_to_implement = You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. \ @@ -3171,7 +3171,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Suspicious Email Attachment Extensions - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Emotet Malware DHS Report TA18-201A ", "Hermetic Wiper", "Suspicious Emails"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Emotet Malware DHS Report TA18-201A ", "Hermetic Wiper", "Suspicious Emails"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -3228,7 +3228,7 @@ search = `stream_http` http_method=POST http_content_length>1 | regex form_data= action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects suspicious processes on systems labeled as web servers. This detection is made by a Splunk query that searches for specific process names that might indicate malicious activity. These suspicious processes include "whoami", "ping", "iptables", "wget", "service", and "curl". Uses the Splunk data model "Endpoint.Processes" and filters the results to only include systems categorized as web servers. This detection is important because it indicates unauthorized or malicious activity on web servers since these processes are commonly used by attackers to perform reconnaissance, establish persistence, or exfiltrate data from compromised systems. The impact of such an attack can be significant, ranging from data theft to the deployment of additional malicious payloads, potentially leading to ransomware or other damaging outcomes. False positives might occur since the legitimate use of these processes on web servers can trigger the analytic. Next steps include triaging and investigating to determine the legitimacy of the activity. Also, review the source and command of the suspicious process. You must also examine any relevant on-disk artifacts and look for concurrent processes to identify the source of the attack. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1082"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects suspicious processes on systems labeled as web servers. This detection is made by a Splunk query that searches for specific process names that might indicate malicious activity. These suspicious processes include "whoami", "ping", "iptables", "wget", "service", and "curl". Uses the Splunk data model "Endpoint.Processes" and filters the results to only include systems categorized as web servers. This detection is important because it indicates unauthorized or malicious activity on web servers since these processes are commonly used by attackers to perform reconnaissance, establish persistence, or exfiltrate data from compromised systems. The impact of such an attack can be significant, ranging from data theft to the deployment of additional malicious payloads, potentially leading to ransomware or other damaging outcomes. False positives might occur since the legitimate use of these processes on web servers can trigger the analytic. Next steps include triaging and investigating to determine the legitimacy of the activity. Also, review the source and command of the suspicious process. You must also examine any relevant on-disk artifacts and look for concurrent processes to identify the source of the attack. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -3251,7 +3251,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Web Servers Executing Suspicious Processes - Rule -action.correlationsearch.annotations = {"analytic_story": ["Apache Struts Vulnerability"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1082"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Apache Struts Vulnerability"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -3274,7 +3274,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search will detect a spike in the number of API calls made to your cloud infrastructure environment by a user. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search will detect a spike in the number of API calls made to your cloud infrastructure environment by a user. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Infrastructure API Calls Per User` to create the probability density function. @@ -3289,7 +3289,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Cloud User Activities", "Compromised User Account"] action.risk = 1 action.risk.param._risk_message = user $user$ has made $api_calls$ api calls, violating the dynamic threshold of $expected_upper_threshold$ with the following command $command$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 15}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -3297,7 +3297,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Abnormally High Number Of Cloud Infrastructure API Calls - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud User Activities", "Compromised User Account"], "cis20": ["CIS 13"], "confidence": 50, "impact": 30, "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud User Activities", "Compromised User Account"], "cis20": ["CIS 13"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -3314,7 +3314,7 @@ search = | tstats count as api_calls values(All_Changes.command) as command from action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search finds for the number successfully destroyed cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search finds for the number successfully destroyed cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Destroyed` to create the probability density function. @@ -3337,7 +3337,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Abnormally High Number Of Cloud Instances Destroyed - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Instance Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Instance Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -3354,7 +3354,7 @@ search = | tstats count as instances_destroyed values(All_Changes.object_id) as action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search finds for the number successfully created cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search finds for the number successfully created cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Launched` to create the probability density function. @@ -3377,7 +3377,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Abnormally High Number Of Cloud Instances Launched - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cloud Cryptomining", "Suspicious Cloud Instance Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Cloud Cryptomining", "Suspicious Cloud Instance Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -3394,7 +3394,7 @@ search = | tstats count as instances_launched values(All_Changes.object_id) as o action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search will detect a spike in the number of API calls made to your cloud infrastructure environment about security groups by a user. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search will detect a spike in the number of API calls made to your cloud infrastructure environment about security groups by a user. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Security Group API Calls Per User` to create the probability density function model. @@ -3409,7 +3409,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Cloud User Activities"] action.risk = 1 action.risk.param._risk_message = user $user$ has made $api_calls$ api calls related to security groups, violating the dynamic threshold of $expected_upper_threshold$ with the following command $command$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 15}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -3417,7 +3417,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Abnormally High Number Of Cloud Security Group API Calls - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud User Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 30, "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud User Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -3434,7 +3434,7 @@ search = | tstats count as security_group_api_calls values(All_Changes.command) action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster in AWS -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster in AWS action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudWatch EKS Logs inputs. @@ -3452,7 +3452,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Amazon EKS Kubernetes cluster scan detection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Scanning Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1526"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Scanning Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -3469,7 +3469,7 @@ search = `aws_cloudwatchlogs_eks` "user.username"="system:anonymous" userAgent!= action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects unauthenticated requests made against the Kubernetes' Pods API through proactive monitoring to protect the Kubernetes environment from unauthorized access and potential security breaches. The detection is made by using the Splunk query `aws_cloudwatchlogs_eks` with specific filters to identify these requests. Identifies events where the `user.username` is set to "system:anonymous", the `verb` is set to "list", and the `objectRef.resource` is set to "pods". Additionally, the search checks if the `requestURI` is equal to "/api/v1/pods". Analyzing these events helps you to identify any unauthorized access attempts to the Kubernetes' Pods API. Unauthenticated requests can indicate potential security breaches or unauthorized access to sensitive resources within the Kubernetes environment. The detection is important because unauthorized access to Kubernetes' Pods API can lead to the compromise of sensitive data, unauthorized execution of commands, or even the potential for lateral movement within the Kubernetes cluster. False positives might occur since there might be legitimate use cases for unauthenticated requests in certain scenarios. Therefore, you must review and validate any detected events before taking any action. Next steps include investigating the incident to mitigate any ongoing threats, and strengthening the security measures to prevent future unauthorized access attempts. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects unauthenticated requests made against the Kubernetes' Pods API through proactive monitoring to protect the Kubernetes environment from unauthorized access and potential security breaches. The detection is made by using the Splunk query `aws_cloudwatchlogs_eks` with specific filters to identify these requests. Identifies events where the `user.username` is set to "system:anonymous", the `verb` is set to "list", and the `objectRef.resource` is set to "pods". Additionally, the search checks if the `requestURI` is equal to "/api/v1/pods". Analyzing these events helps you to identify any unauthorized access attempts to the Kubernetes' Pods API. Unauthenticated requests can indicate potential security breaches or unauthorized access to sensitive resources within the Kubernetes environment. The detection is important because unauthorized access to Kubernetes' Pods API can lead to the compromise of sensitive data, unauthorized execution of commands, or even the potential for lateral movement within the Kubernetes cluster. False positives might occur since there might be legitimate use cases for unauthenticated requests in certain scenarios. Therefore, you must review and validate any detected events before taking any action. Next steps include investigating the incident to mitigate any ongoing threats, and strengthening the security measures to prevent future unauthorized access attempts. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` macro to filter out the false positives. @@ -3487,7 +3487,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Amazon EKS Kubernetes Pod scan detection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Scanning Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1526"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Scanning Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -3504,7 +3504,7 @@ search = `aws_cloudwatchlogs_eks` "user.username"="system:anonymous" verb=list o action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1185"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. @@ -3519,7 +3519,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Compromised User Account", "AWS Identity and Access Management Account"] action.risk = 1 action.risk.param._risk_message = User $identity.user.name$ has concurrent sessions from more than one unique IP address $src_endpoint.ip$ in the span of 5 minutes. -action.risk.param._risk = [{"risk_object_field": "identity.user.credential_uid", "risk_object_type": "user", "risk_score": 42}, {"risk_object_field": "src_endpoint.ip", "risk_object_type": "system", "risk_score": 42}] +action.risk.param._risk = [{"risk_object_field": "identity.user.credential_uid", "risk_object_type": "user", "risk_score": 42}, {"risk_object_field": "src_endpoint.ip", "risk_object_type": "other", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -3527,7 +3527,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - ASL AWS Concurrent Sessions From Different Ips - Rule -action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "AWS Identity and Access Management Account"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1185"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "AWS Identity and Access Management Account"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -3544,7 +3544,7 @@ search = `amazon_security_lake` api.operation=DescribeEventAggregates src_endpo action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting. action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. @@ -3562,7 +3562,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - ASL AWS CreateAccessKey - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -3579,7 +3579,7 @@ search = `amazon_security_lake` api.operation=CreateAccessKey http_request.user_ action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic identifies AWS `DeleteTrail` events within CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their malicious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may delete the the entire cloudtrail that is logging activities in the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies AWS `DeleteTrail` events within CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their malicious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may delete the the entire cloudtrail that is logging activities in the environment. action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. @@ -3594,7 +3594,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["AWS Defense Evasion"] action.risk = 1 action.risk.param._risk_message = User $identity.user.name$ has delete a CloudTrail logging for account id $identity.user.account_uid$ -action.risk.param._risk = [{"risk_object_field": "src_endpoint.ip", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "identity.user.name", "risk_object_type": "user", "risk_score": 90}] +action.risk.param._risk = [{"risk_object_field": "src_endpoint.ip", "risk_object_type": "other", "risk_score": 90}, {"risk_object_field": "identity.user.name", "risk_object_type": "user", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -3602,7 +3602,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - ASL AWS Defense Evasion Delete Cloudtrail - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -3625,7 +3625,7 @@ search = `amazon_security_lake` api.operation=DeleteTrail | stats count min(_tim action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic identifies AWS `DeleteLogGroup` events in CloudTrail logs. Attackers may evade the logging capability by deleting the log group in CloudWatch. This will stop sending the logs and metrics to CloudWatch. When the adversary has the right type of permissions within the compromised AWS environment, they may delete the CloudWatch log group that is logging activities in the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies AWS `DeleteLogGroup` events in CloudTrail logs. Attackers may evade the logging capability by deleting the log group in CloudWatch. This will stop sending the logs and metrics to CloudWatch. When the adversary has the right type of permissions within the compromised AWS environment, they may delete the CloudWatch log group that is logging activities in the environment. action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. @@ -3640,7 +3640,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["AWS Defense Evasion"] action.risk = 1 action.risk.param._risk_message = User $identity.user.name$ has deleted a CloudWatch logging group for account id $identity.user.account_uid$ -action.risk.param._risk = [{"risk_object_field": "src_endpoint.ip", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "identity.user.name", "risk_object_type": "user", "risk_score": 90}] +action.risk.param._risk = [{"risk_object_field": "src_endpoint.ip", "risk_object_type": "other", "risk_score": 90}, {"risk_object_field": "identity.user.name", "risk_object_type": "user", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -3648,7 +3648,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - ASL AWS Defense Evasion Delete CloudWatch Log Group - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -3671,7 +3671,7 @@ search = `amazon_security_lake` api.operation=DeleteLogGroup | stats count min(_ action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic looks for several delete specific API calls made to AWS Security Services like CloudWatch, GuardDuty and Web Application Firewalls. These API calls are often leveraged by adversaries to weaken existing security defenses by deleting logging configurations in the CloudWatch alarm, delete a set of detectors from your Guardduty environment or simply delete a bunch of CloudWatch alarms to remain stealthy and avoid detection. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = ["Web"] action.escu.eli5 = This analytic looks for several delete specific API calls made to AWS Security Services like CloudWatch, GuardDuty and Web Application Firewalls. These API calls are often leveraged by adversaries to weaken existing security defenses by deleting logging configurations in the CloudWatch alarm, delete a set of detectors from your Guardduty environment or simply delete a bunch of CloudWatch alarms to remain stealthy and avoid detection. action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. @@ -3689,7 +3689,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - ASL AWS Defense Evasion Impair Security Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -3706,7 +3706,7 @@ search = `amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetec action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment. action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. @@ -3721,7 +3721,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["AWS User Monitoring"] action.risk = 1 action.risk.param._risk_message = user $identity.user.name$ has excessive number of api calls. -action.risk.param._risk = [{"risk_object_field": "src_endpoint.ip", "risk_object_type": "system", "risk_score": 18}, {"risk_object_field": "identity.user.name", "risk_object_type": "user", "risk_score": 18}] +action.risk.param._risk = [{"risk_object_field": "src_endpoint.ip", "risk_object_type": "other", "risk_score": 18}, {"risk_object_field": "identity.user.name", "risk_object_type": "other", "risk_score": 18}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -3729,7 +3729,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - ASL AWS Excessive Security Scanning - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 13"], "confidence": 60, "impact": 30, "mitre_attack": ["T1526"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 13"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -3746,7 +3746,7 @@ search = `amazon_security_lake` api.operation=Describe* OR api.operation=List* O action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following detection identifes when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following detection identifes when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy. action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. @@ -3764,7 +3764,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - ASL AWS IAM Delete Policy - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "mitre_attack": ["T1098"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -3781,7 +3781,7 @@ search = `amazon_security_lake` api.operation=DeletePolicy | stats count min(_ti action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies an attempt to disable multi-factor authentication for an AWS IAM user. An adversary who has obtained access to an AWS tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an attempt to disable multi-factor authentication for an AWS IAM user. An adversary who has obtained access to an AWS tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. @@ -3796,7 +3796,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user_name$ has disabled Multi-Factor authentication for AWS account $aws_account_id$ -action.risk.param._risk = [{"risk_object_field": "identity.user.account_uid", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "identity.user.name", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "src_endpoint.ip", "risk_object_type": "system", "risk_score": 64}] +action.risk.param._risk = [{"risk_object_field": "identity.user.account_uid", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "identity.user.name", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "src_endpoint.ip", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -3804,7 +3804,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - ASL AWS Multi-Factor Authentication Disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -3827,7 +3827,7 @@ search = `amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.ope action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the registration of a new Multi Factor authentication method for an AWS account logged through Amazon Secruity Lake (ASL). Adversaries who have obtained unauthorized access to an AWS account may register a new MFA method to maintain persistence. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the registration of a new Multi Factor authentication method for an AWS account logged through Amazon Secruity Lake (ASL). Adversaries who have obtained unauthorized access to an AWS account may register a new MFA method to maintain persistence. action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. @@ -3842,7 +3842,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = A new virtual device is added to user $identity.user.name$ -action.risk.param._risk = [{"risk_object_field": "identity.user.name", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "src_endpoint.ip", "risk_object_type": "system", "risk_score": 64}] +action.risk.param._risk = [{"risk_object_field": "identity.user.name", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "src_endpoint.ip", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -3850,7 +3850,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - ASL AWS New MFA Method Registered For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -3873,7 +3873,7 @@ search = `amazon_security_lake` api.operation=CreateVirtualMFADevice | stats co action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised. action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. @@ -3891,7 +3891,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - ASL AWS Password Policy Changes - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "mitre_attack": ["T1201"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -3908,7 +3908,7 @@ search = `amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.oper action.escu = 0 action.escu.enabled = 1 description = This search looks for suspicious AWS AMI attribute modifications, such as sharing it with another AWS account or making the full AMI image public. Adversaries are known to abuse these APIs to exfiltrate sensitive organization information stored in the AWS Resources, there by its very important to monitor these seemingly benign API activity in Cloudtrail logs. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for suspicious AWS AMI attribute modifications, such as sharing it with another AWS account or making the full AMI image public. Adversaries are known to abuse these APIs to exfiltrate sensitive organization information stored in the AWS Resources, there by its very important to monitor these seemingly benign API activity in Cloudtrail logs. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -3923,7 +3923,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious Cloud Instance Activities", "Data Exfiltration"] action.risk = 1 action.risk.param._risk_message = AWS AMI from account $aws_account_id$ is shared externally with $accounts_added$ from $src_ip$ or AMI made is made Public. -action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 80}] +action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -3931,7 +3931,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS AMI Atttribute Modification for Exfiltration - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Instance Activities", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "mitre_attack": ["T1537"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Instance Activities", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -3954,7 +3954,7 @@ search = `cloudtrail` eventName=ModifyImageAttribute (requestParameters.launchPe action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. action.escu.how_to_implement = You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -3969,7 +3969,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Compromised User Account", "AWS Identity and Access Management Account"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ has concurrent sessions from more than one unique IP address $src_ip$ in the span of 5 minutes. -action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 42}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 42}] +action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 42}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -3977,7 +3977,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Concurrent Sessions From Different Ips - Rule -action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "AWS Identity and Access Management Account"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1185"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "AWS Identity and Access Management Account"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -4000,7 +4000,7 @@ search = `cloudtrail` eventName = DescribeEventAggregates src_ip!="AWS Internal action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an authentication attempt event against an AWS Console that fails during the Multi Factor Authentication challenge. AWS Cloudtrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1621"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1621"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an authentication attempt event against an AWS Console that fails during the Multi Factor Authentication challenge. AWS Cloudtrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. action.escu.how_to_implement = The Splunk AWS Add-on is required to utilize this data. The search requires AWS Cloudtrail logs. @@ -4015,7 +4015,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover", "Compromised User Account"] action.risk = 1 action.risk.param._risk_message = User $user_name$ failed to pass MFA challenge while logging into console from $src$ -action.risk.param._risk = [{"risk_object_field": "user_name", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 64}] +action.risk.param._risk = [{"risk_object_field": "user_name", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "src", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -4023,7 +4023,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Console Login Failed During MFA Challenge - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1586", "T1586.003", "T1621"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1621"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -4046,7 +4046,7 @@ search = `cloudtrail` eventName= ConsoleLogin errorMessage="Failed authenticatio action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -4061,7 +4061,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS IAM Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = User $user$ created a policy version that allows them to access any resource in their account. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -4069,7 +4069,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Create Policy Version to allow all resources - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -4092,7 +4092,7 @@ search = `cloudtrail` eventName=CreatePolicyVersion eventSource = iam.amazonaws. action.escu = 0 action.escu.enabled = 1 description = This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -4110,7 +4110,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS CreateAccessKey - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 13"], "confidence": 90, "impact": 70, "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 13"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -4127,7 +4127,7 @@ search = `cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws. action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events where a user A(victim A) creates a login profile for user B, followed by a AWS Console login event from user B from the same src_ip as user B. This correlated event can be indicative of privilege escalation since both events happened from the same src_ip -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where a user A(victim A) creates a login profile for user B, followed by a AWS Console login event from user B from the same src_ip as user B. This correlated event can be indicative of privilege escalation since both events happened from the same src_ip action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -4142,7 +4142,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS IAM Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ is attempting to create a login profile for $requestParameters.userName$ and did a console login from this IP $src_ip$ -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 72}] +action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 72}, {"risk_object_field": "user_arn", "risk_object_type": "other", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -4150,7 +4150,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS CreateLoginProfile - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 13"], "confidence": 80, "impact": 90, "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 13"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -4173,7 +4173,7 @@ search = `cloudtrail` eventName = CreateLoginProfile | rename requestParameters. action.escu = 0 action.escu.enabled = 1 description = It shows that there have been an unsuccessful attempt to log in using the user identity to the AWS management console. Since the user identity has access to AWS account services and resources, an attacker might try to brute force the password for that identity. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = It shows that there have been an unsuccessful attempt to log in using the user identity to the AWS management console. Since the user identity has access to AWS account services and resources, an attacker might try to brute force the password for that identity. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -4188,7 +4188,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ has a login failure from IP $src$ -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] +action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -4196,7 +4196,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Credential Access Failed Login - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -4219,7 +4219,7 @@ search = | tstats count earliest(_time) as firstTime, latest(_time) as lastTime action.escu = 0 action.escu.enabled = 1 description = This detection analytic identifies more than 10 GetPasswordData API calls made to your AWS account with a time window of 5 minutes. Attackers can retrieve the encrypted administrator password for a running Windows instance. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection analytic identifies more than 10 GetPasswordData API calls made to your AWS account with a time window of 5 minutes. Attackers can retrieve the encrypted administrator password for a running Windows instance. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We encourage the users to adjust the values of `distinct_instance_ids` and tweak the `span` value according to their environment. @@ -4234,7 +4234,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ is seen to make mulitple `GetPasswordData` API calls to instance ids $instance_ids$ from IP $src_ip$ -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 49}] +action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -4242,7 +4242,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Credential Access GetPasswordData - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -4259,7 +4259,7 @@ search = `cloudtrail` eventName=GetPasswordData eventSource = ec2.amazonaws.com action.escu = 0 action.escu.enabled = 1 description = The master user password for Amazon RDS DB instance can be reset using the Amazon RDS console. Using this technique, the attacker can get access to the sensitive data from the DB. Usually, the production databases may have sensitive data like Credit card information, PII, Health care Data. This event should be investigated further. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The master user password for Amazon RDS DB instance can be reset using the Amazon RDS console. Using this technique, the attacker can get access to the sensitive data from the DB. Usually, the production databases may have sensitive data like Credit card information, PII, Health care Data. This event should be investigated further. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -4274,7 +4274,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = $DB$ password has been reset from IP $sourceIPAddress$ -action.risk.param._risk = [{"risk_object_field": "sourceIPAddress", "risk_object_type": "system", "risk_score": 49}] +action.risk.param._risk = [{"risk_object_field": "sourceIPAddress", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -4282,7 +4282,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Credential Access RDS Password reset - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1586", "T1586.003", "T1110"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -4320,7 +4320,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Cloud Authentication Activities"] action.risk = 1 action.risk.param._risk_message = AWS account $requestingAccountId$ is trying to access resource from some other account $requestedAccountId$, for the first time. -action.risk.param._risk = [{"threat_object_field": "requestingAccountId", "threat_object_type": "other"}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 15}] +action.risk.param._risk = [{"risk_object_field": "requestingAccountId", "risk_object_type": "other", "risk_score": 15}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -4345,7 +4345,7 @@ search = | tstats min(_time) as firstTime max(_time) as lastTime from datamodel= action.escu = 0 action.escu.enabled = 1 description = This analytic identifies AWS `DeleteTrail` events within CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their malicious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may delete the the entire cloudtrail that is logging activities in the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies AWS `DeleteTrail` events within CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their malicious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may delete the the entire cloudtrail that is logging activities in the environment. action.escu.how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. @@ -4360,7 +4360,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Defense Evasion"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ has delete a CloudTrail logging for account id $aws_account_id$ from IP $src$ -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 90}] +action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "other", "risk_score": 90}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -4368,7 +4368,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Defense Evasion Delete Cloudtrail - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -4391,7 +4391,7 @@ search = `cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws action.escu = 0 action.escu.enabled = 1 description = This analytic identifies AWS `DeleteLogGroup` events in CloudTrail logs. Attackers may evade the logging capability by deleting the log group in CloudWatch. This will stop sending the logs and metrics to CloudWatch. When the adversary has the right type of permissions within the compromised AWS environment, they may delete the CloudWatch log group that is logging activities in the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies AWS `DeleteLogGroup` events in CloudTrail logs. Attackers may evade the logging capability by deleting the log group in CloudWatch. This will stop sending the logs and metrics to CloudWatch. When the adversary has the right type of permissions within the compromised AWS environment, they may delete the CloudWatch log group that is logging activities in the environment. action.escu.how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. @@ -4406,7 +4406,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Defense Evasion"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ has deleted a CloudWatch logging group for account id $aws_account_id$ from IP $src$ -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 90}] +action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "other", "risk_score": 90}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -4414,7 +4414,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Defense Evasion Delete CloudWatch Log Group - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -4437,7 +4437,7 @@ search = `cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.co action.escu = 0 action.escu.enabled = 1 description = This analytic looks for several delete specific API calls made to AWS Security Services like CloudWatch, GuardDuty and Web Application Firewalls. These API calls are often leveraged by adversaries to weaken existing security defenses by deleting logging configurations in the CloudWatch alarm, delete a set of detectors from your Guardduty environment or simply delete a bunch of CloudWatch alarms to remain stealthy and avoid detection. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = ["Web"] action.escu.eli5 = This analytic looks for several delete specific API calls made to AWS Security Services like CloudWatch, GuardDuty and Web Application Firewalls. These API calls are often leveraged by adversaries to weaken existing security defenses by deleting logging configurations in the CloudWatch alarm, delete a set of detectors from your Guardduty environment or simply delete a bunch of CloudWatch alarms to remain stealthy and avoid detection. action.escu.how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. @@ -4455,7 +4455,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Defense Evasion Impair Security Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -4472,7 +4472,7 @@ search = `cloudtrail` eventName IN ("DeleteLogStream","DeleteDetector","DeleteIP action.escu = 0 action.escu.enabled = 1 description = This analytic identifies `PutBucketLifecycle` events in CloudTrail logs where a user has created a new lifecycle rule for an S3 bucket with a short expiration period. Attackers may use this API call to impair the CloudTrail logging by removing logs from the S3 bucket by changing the object expiration day to 1 day, in which case the CloudTrail logs will be deleted. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies `PutBucketLifecycle` events in CloudTrail logs where a user has created a new lifecycle rule for an S3 bucket with a short expiration period. Attackers may use this API call to impair the CloudTrail logging by removing logs from the S3 bucket by changing the object expiration day to 1 day, in which case the CloudTrail logs will be deleted. action.escu.how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. We recommend our users to set the expiration days value according to your company's log retention policies. @@ -4490,7 +4490,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Defense Evasion PutBucketLifecycle - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 40, "impact": 50, "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 40, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -4507,7 +4507,7 @@ search = `cloudtrail` eventName=PutBucketLifecycle user_type=IAMUser errorCode=s action.escu = 0 action.escu.enabled = 1 description = This analytic identifies `StopLogging` events in CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their macliious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may easily stop logging. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies `StopLogging` events in CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their macliious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may easily stop logging. action.escu.how_to_implement = You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment. @@ -4522,7 +4522,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Defense Evasion"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ has stopped Cloudtrail logging for account id $aws_account_id$ from IP $src$ -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 90}] +action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "other", "risk_score": 90}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -4530,7 +4530,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Defense Evasion Stop Logging Cloudtrail - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.008", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -4553,7 +4553,7 @@ search = `cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws action.escu = 0 action.escu.enabled = 1 description = This analytic identifies `UpdateTrail` events in CloudTrail logs. Attackers may evade the logging capability by updating the settings and impairing them with wrong parameters. For example, Attackers may change the multi-regional log into a single region logs, which evades the logging for other regions. When the adversary has the right type of permissions in the compromised AWS environment, they may update the CloudTrail settings that is logging activities in your environment. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies `UpdateTrail` events in CloudTrail logs. Attackers may evade the logging capability by updating the settings and impairing them with wrong parameters. For example, Attackers may change the multi-regional log into a single region logs, which evades the logging for other regions. When the adversary has the right type of permissions in the compromised AWS environment, they may update the CloudTrail settings that is logging activities in your environment. action.escu.how_to_implement = You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. @@ -4568,7 +4568,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Defense Evasion"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ has updated a cloudtrail logging for account id $aws_account_id$ from IP $src$ -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 90}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 90}] +action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "other", "risk_score": 90}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 90}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -4576,7 +4576,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Defense Evasion Update Cloudtrail - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Defense Evasion"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -4599,7 +4599,7 @@ search = `cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search provides detection of an user attaching itself to a different role trust policy. This can be used for lateral movement and escalation of privileges. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides detection of an user attaching itself to a different role trust policy. This can be used for lateral movement and escalation of privileges. action.escu.how_to_implement = You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs @@ -4617,7 +4617,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - aws detect attach to role policy - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -4634,7 +4634,7 @@ search = `aws_cloudwatchlogs_eks` attach policy| spath requestParameters.policyA action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search provides detection of accounts creating permanent keys. Permanent keys are not created by default and they are only needed for programmatic calls. Creation of Permanent key is an important event to monitor. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides detection of accounts creating permanent keys. Permanent keys are not created by default and they are only needed for programmatic calls. Creation of Permanent key is an important event to monitor. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs @@ -4652,7 +4652,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - aws detect permanent key creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -4669,7 +4669,7 @@ search = `aws_cloudwatchlogs_eks` CreateAccessKey | spath eventName | search eve action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search provides detection of role creation by IAM users. Role creation is an event by itself if user is creating a new role with trust policies different than the available in AWS and it can be used for lateral movement and escalation of privileges. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides detection of role creation by IAM users. Role creation is an event by itself if user is creating a new role with trust policies different than the available in AWS and it can be used for lateral movement and escalation of privileges. action.escu.how_to_implement = You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs @@ -4687,7 +4687,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - aws detect role creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -4704,7 +4704,7 @@ search = `aws_cloudwatchlogs_eks` event_name=CreateRole action=created userIdent action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search provides detection of suspicious use of sts:AssumeRole. These tokens can be created on the go and used by attackers to move laterally and escalate privileges. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides detection of suspicious use of sts:AssumeRole. These tokens can be created on the go and used by attackers to move laterally and escalate privileges. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs @@ -4722,7 +4722,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - aws detect sts assume role abuse - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -4739,7 +4739,7 @@ search = `cloudtrail` user_type=AssumedRole userIdentity.sessionContext.sessionI action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search provides detection of suspicious use of sts:GetSessionToken. These tokens can be created on the go and used by attackers to move laterally and escalate privileges. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1550"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides detection of suspicious use of sts:GetSessionToken. These tokens can be created on the go and used by attackers to move laterally and escalate privileges. action.escu.how_to_implement = You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs @@ -4757,7 +4757,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - aws detect sts get session token abuse - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1550"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -4774,7 +4774,7 @@ search = `aws_cloudwatchlogs_eks` ASIA userIdentity.type=IAMUser| spath eventNa action.escu = 0 action.escu.enabled = 1 description = This search provides detection of KMS keys where action kms:Encrypt is accessible for everyone (also outside of your organization). This is an indicator that your account is compromised and the attacker uses the encryption key to compromise another company. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search provides detection of KMS keys where action kms:Encrypt is accessible for everyone (also outside of your organization). This is an indicator that your account is compromised and the attacker uses the encryption key to compromise another company. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs @@ -4789,7 +4789,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Ransomware Cloud"] action.risk = 1 action.risk.param._risk_message = AWS account is potentially compromised and user $userIdentity.principalId$ is trying to compromise other accounts. -action.risk.param._risk = [{"risk_object_field": "userIdentity.principalId", "risk_object_type": "user", "risk_score": 25}] +action.risk.param._risk = [{"risk_object_field": "userIdentity.principalId", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -4797,7 +4797,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Detect Users creating keys with encrypt policy without MFA - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware Cloud"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1486"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware Cloud"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -4820,7 +4820,7 @@ search = `cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy | spath inpu action.escu = 0 action.escu.enabled = 1 description = This search provides detection of users with KMS keys performing encryption specifically against S3 buckets. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides detection of users with KMS keys performing encryption specifically against S3 buckets. action.escu.how_to_implement = You must install Splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs @@ -4835,7 +4835,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Ransomware Cloud"] action.risk = 1 action.risk.param._risk_message = User $user$ with KMS keys is performing encryption, against S3 buckets on these files $dest_file$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 15}, {"risk_object_field": "dest_file", "risk_object_type": "other", "risk_score": 15}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 15}, {"risk_object_field": "dest_file", "risk_object_type": "other", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -4843,7 +4843,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Detect Users with KMS keys performing encryption S3 - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware Cloud"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1486"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware Cloud"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -4860,7 +4860,7 @@ search = `cloudtrail` eventName=CopyObject requestParameters.x-amz-server-side-e action.escu = 0 action.escu.enabled = 1 description = The following analytic detects AWS cloudtrail events where bucket versioning is suspended by a user. Versioning allows the AWS Administrators to maintain different version of the S3 bucket which can be used to recover deleted data. Adversaries have leveraged this technique in the wild during a ransomware incident to disable versioning so the client cannot recover the data. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1490"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects AWS cloudtrail events where bucket versioning is suspended by a user. Versioning allows the AWS Administrators to maintain different version of the S3 bucket which can be used to recover deleted data. Adversaries have leveraged this technique in the wild during a ransomware incident to disable versioning so the client cannot recover the data. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -4875,7 +4875,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious AWS S3 Activities", "Data Exfiltration"] action.risk = 1 action.risk.param._risk_message = Bucket Versioning is suspended for S3 buckets- $bucket_name$ by user $user_arn$ from IP address $src_ip$ -action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] +action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -4883,7 +4883,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Disable Bucket Versioning - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1490"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -4900,7 +4900,7 @@ search = `cloudtrail` eventName= PutBucketVersioning "requestParameters.Versioni action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -4915,7 +4915,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious Cloud Instance Activities", "Data Exfiltration"] action.risk = 1 action.risk.param._risk_message = AWS EC2 snapshot from account $aws_account_id$ is shared with $requested_account_id$ by user $user_arn$ from $src_ip$ -action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 48}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 48}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 48}] +action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "other", "risk_score": 48}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 48}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -4923,7 +4923,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS EC2 Snapshot Shared Externally - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Instance Activities", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "mitre_attack": ["T1537"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Instance Activities", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -4946,7 +4946,7 @@ search = `cloudtrail` eventName=ModifySnapshotAttribute | rename requestParamete action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -4961,7 +4961,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = Vulnerabilities with severity high found in repository $repository$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 70}, {"risk_object_field": "repository", "risk_object_type": "other", "risk_score": 70}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 70}, {"risk_object_field": "repository", "risk_object_type": "other", "risk_score": 70}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -4969,7 +4969,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS ECR Container Scanning Findings High - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 100, "impact": 70, "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -4992,7 +4992,7 @@ search = `cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanF action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -5007,7 +5007,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = Vulnerabilities with severity $severity$ found in repository $repository$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 5}, {"risk_object_field": "repository", "risk_object_type": "other", "risk_score": 5}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 5}, {"risk_object_field": "repository", "risk_object_type": "other", "risk_score": 5}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -5015,7 +5015,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS ECR Container Scanning Findings Low Informational Unknown - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 50, "impact": 10, "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -5032,7 +5032,7 @@ search = `cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanF action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -5047,7 +5047,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = Vulnerabilities with severity $severity$ found in repository $repository$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 21}, {"risk_object_field": "repository", "risk_object_type": "other", "risk_score": 21}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 21}, {"risk_object_field": "repository", "risk_object_type": "other", "risk_score": 21}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -5055,7 +5055,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS ECR Container Scanning Findings Medium - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 70, "impact": 30, "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -5072,7 +5072,7 @@ search = `cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanF action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done during business hours. When done outside business hours, we want to take a look into it. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done during business hours. When done outside business hours, we want to take a look into it. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -5087,7 +5087,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = Container uploaded outside business hours from $user$ -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] +action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -5095,7 +5095,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS ECR Container Upload Outside Business Hours - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -5112,7 +5112,7 @@ search = `cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage date_hour action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done from only a few known users. When the user was never seen before, we should have a closer look into the event. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done from only a few known users. When the user was never seen before, we should have a closer look into the event. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -5127,7 +5127,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = Container uploaded from unknown user $user$ -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] +action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -5135,7 +5135,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS ECR Container Upload Unknown User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -5152,7 +5152,7 @@ search = `cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage NOT `aws_ action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -5167,7 +5167,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS User Monitoring"] action.risk = 1 action.risk.param._risk_message = User $user$ has excessive number of api calls $dc_events$ from these IP addresses $src$, violating the threshold of 50, using the following commands $command$. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 18}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 18}] +action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "other", "risk_score": 18}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 18}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -5175,7 +5175,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Excessive Security Scanning - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 13"], "confidence": 60, "impact": 30, "mitre_attack": ["T1526"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 13"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -5198,7 +5198,7 @@ search = `cloudtrail` eventName=Describe* OR eventName=List* OR eventName=Get* action.escu = 0 action.escu.enabled = 1 description = This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 in a 10 minute time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by "count" "user_type" "user_arn" and detects anomaly based on the frequencies. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1119"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 in a 10 minute time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by "count" "user_type" "user_arn" and detects anomaly based on the frequencies. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -5213,7 +5213,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Data Exfiltration"] action.risk = 1 action.risk.param._risk_message = Anomalous S3 activities detected by user $user_arn$ from $src_ip$ -action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] +action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -5221,7 +5221,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1119"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -5238,7 +5238,7 @@ search = `cloudtrail` eventName=GetObject | bin _time span=10m | stats count va action.escu = 0 action.escu.enabled = 1 description = This search looks for events where AWS Batch Service is used for creating a job that could potentially abuse the AWS Bucket Replication feature on S3 buckets. This AWS service can used to transfer data between different AWS S3 buckets and an attacker can leverage this to exfiltrate data by creating a malicious batch job. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1119"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for events where AWS Batch Service is used for creating a job that could potentially abuse the AWS Bucket Replication feature on S3 buckets. This AWS service can used to transfer data between different AWS S3 buckets and an attacker can leverage this to exfiltrate data by creating a malicious batch job. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -5253,7 +5253,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Data Exfiltration"] action.risk = 1 action.risk.param._risk_message = AWS Batch Job is created on account id - $aws_account_id$ from src_ip $src_ip$ -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] +action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -5261,7 +5261,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Exfiltration via Batch Service - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1119"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -5285,7 +5285,7 @@ action.escu = 0 action.escu.enabled = 1 description = The following analytic detects API calls made to an S3 bucket when bucket replication services are enabled. S3 bucket replication is a feature offered by Amazon Web Services (AWS) that allows you to automatically and asynchronously copy data from one S3 bucket to another in the same or different region.\ S3 bucket replication can also be used for cross-account replication, where data is replicated from a source bucket owned by one AWS account to a destination bucket owned by a different AWS account. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects API calls made to an S3 bucket when bucket replication services are enabled. S3 bucket replication is a feature offered by Amazon Web Services (AWS) that allows you to automatically and asynchronously copy data from one S3 bucket to another in the same or different region.\ S3 bucket replication can also be used for cross-account replication, where data is replicated from a source bucket owned by one AWS account to a destination bucket owned by a different AWS account. @@ -5301,7 +5301,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious AWS S3 Activities", "Data Exfiltration"] action.risk = 1 action.risk.param._risk_message = AWS Bucket Replication rule $rule$ added on $source_bucket$ to $destination_bucket$ by user $user_arn$ from IP Address - $src_ip$ -action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] +action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -5309,7 +5309,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Exfiltration via Bucket Replication - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1537"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -5333,7 +5333,7 @@ search = `cloudtrail` eventName = PutBucketReplication eventSource = s3.amazona action.escu = 0 action.escu.enabled = 1 description = This search looks for potential misuse of an AWS service known as DataSync. This AWS service is used to transfer data between different AWS cloud storage services, such as Amazon S3, Amazon EFS, and Amazon FSx for Windows File Server. Attackers can create a task in AWS to periodically copy data from a private AWS location to a public location resulting in the compromise of the data. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1119"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for potential misuse of an AWS service known as DataSync. This AWS service is used to transfer data between different AWS cloud storage services, such as Amazon S3, Amazon EFS, and Amazon FSx for Windows File Server. Attackers can create a task in AWS to periodically copy data from a private AWS location to a public location resulting in the compromise of the data. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -5348,7 +5348,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious AWS S3 Activities", "Data Exfiltration"] action.risk = 1 action.risk.param._risk_message = DataSync task created on account id - $aws_account_id$ by user $user_arn$ from src_ip $src_ip$ -action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] +action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -5356,7 +5356,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Exfiltration via DataSync Task - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1119"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1119"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -5379,7 +5379,7 @@ search = `cloudtrail` eventName = CreateTask eventSource="datasync.amazonaws.com action.escu = 0 action.escu.enabled = 1 description = This search detects a series of AWS API calls, made in a short time window, related to EC2 snapshots that can detect a potential exfiltration via EC2 Snapshot modifications. In this attack, the attacker typically proceeds by listing and creating EC2 snapshots of the available EC2 instances followed by modifying snapshot attributes such that it can be shared externally. Once this is done, the attacker can then load that EC2 snapshot and access all the sensitive information. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search detects a series of AWS API calls, made in a short time window, related to EC2 snapshots that can detect a potential exfiltration via EC2 Snapshot modifications. In this attack, the attacker typically proceeds by listing and creating EC2 snapshots of the available EC2 instances followed by modifying snapshot attributes such that it can be shared externally. Once this is done, the attacker can then load that EC2 snapshot and access all the sensitive information. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We have intentionally removed `guardduty.amazonaws.com` from src_ip to remove false positives caused by guard duty. We recommend you adjust the time window as per your environment. @@ -5394,7 +5394,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious Cloud Instance Activities", "Data Exfiltration"] action.risk = 1 action.risk.param._risk_message = Potential AWS EC2 Exfiltration detected on account id - $aws_account_id$ by user $userName$ from src_ip $src_ip$ -action.risk.param._risk = [{"risk_object_field": "userName", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] +action.risk.param._risk = [{"risk_object_field": "userName", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -5402,7 +5402,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Exfiltration via EC2 Snapshot - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Instance Activities", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1537"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Instance Activities", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -5425,7 +5425,7 @@ search = `cloudtrail` eventName IN ("CreateSnapshot", "DescribeSnapshotAttribute action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an AWS account with more than 20 failed authentication events in the span of 5 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an AWS account with more than 20 failed authentication events in the span of 5 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection. action.escu.how_to_implement = You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -5440,7 +5440,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Compromised User Account", "AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user_name$ failed to authenticate more than 20 times in the span of 5 minutes for AWS Account $aws_account_id$ -action.risk.param._risk = [{"risk_object_field": "user_name", "risk_object_type": "user", "risk_score": 35}] +action.risk.param._risk = [{"risk_object_field": "user_name", "risk_object_type": "other", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -5448,7 +5448,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS High Number Of Failed Authentications For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "mitre_attack": ["T1201"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -5465,7 +5465,7 @@ search = `cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _t action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an IP address failing to authenticate 20 or more times to the AWS Web Console in the span of 5 minutes. This behavior could represent a brute force attack against an AWS tenant to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an IP address failing to authenticate 20 or more times to the AWS Web Console in the span of 5 minutes. This behavior could represent a brute force attack against an AWS tenant to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection. action.escu.how_to_implement = You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment. @@ -5480,7 +5480,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover", "Compromised User Account"] action.risk = 1 action.risk.param._risk_message = Multiple failed console login attempts against users $tried_accounts$ seen from $src_ip$ -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 54}, {"risk_object_field": "tried_accounts", "risk_object_type": "user", "risk_score": 54}] +action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 54}, {"risk_object_field": "tried_accounts", "risk_object_type": "user", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -5488,7 +5488,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS High Number Of Failed Authentications From Ip - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "mitre_attack": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -5505,7 +5505,7 @@ search = `cloudtrail` eventName=ConsoleLogin action=failure | bucket span=5m _ti action.escu = 0 action.escu.enabled = 1 description = The following detection identifies excessive AccessDenied events within an hour timeframe. It is possible that an access key to AWS may have been stolen and is being misused to perform discovery events. In these instances, the access is not available with the key stolen therefore these events will be generated. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1580"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1580"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following detection identifies excessive AccessDenied events within an hour timeframe. It is possible that an access key to AWS may have been stolen and is being misused to perform discovery events. In these instances, the access is not available with the key stolen therefore these events will be generated. action.escu.how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. @@ -5520,7 +5520,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious Cloud User Activities"] action.risk = 1 action.risk.param._risk_message = User $userIdentity.arn$ is seen to perform excessive number of discovery related api calls- $failures$, within an hour where the access was denied. -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 10}, {"risk_object_field": "userIdentity.arn", "risk_object_type": "user", "risk_score": 10}] +action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 10}, {"risk_object_field": "userIdentity.arn", "risk_object_type": "other", "risk_score": 10}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -5528,7 +5528,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS IAM AccessDenied Discovery Events - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud User Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "mitre_attack": ["T1580"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud User Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1580"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -5545,7 +5545,7 @@ search = `cloudtrail` (errorCode = "AccessDenied") user_type=IAMUser (userAgent! action.escu = 0 action.escu.enabled = 1 description = The following detection identifies any malformed policy document exceptions with a status of `failure`. A malformed policy document exception occurs in instances where roles are attempted to be assumed, or brute forced. In a brute force attempt, using a tool like CloudSploit or Pacu, an attempt will look like `arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS`. Meaning, when an adversary is attempting to identify a role name, multiple failures will occur. This detection focuses on the errors of a remote attempt that is failing. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1580", "T1110"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1580", "T1110"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following detection identifies any malformed policy document exceptions with a status of `failure`. A malformed policy document exception occurs in instances where roles are attempted to be assumed, or brute forced. In a brute force attempt, using a tool like CloudSploit or Pacu, an attempt will look like `arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS`. Meaning, when an adversary is attempting to identify a role name, multiple failures will occur. This detection focuses on the errors of a remote attempt that is failing. action.escu.how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. Set the `where count` greater than a value to identify suspicious activity in your environment. @@ -5560,7 +5560,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS IAM Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ has caused multiple failures with errorCode $errorCode$, which potentially means adversary is attempting to identify a role name. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 28}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 28}] +action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "other", "risk_score": 28}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 28}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -5568,7 +5568,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS IAM Assume Role Policy Brute Force - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "mitre_attack": ["T1580", "T1110"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1580", "T1110"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -5591,7 +5591,7 @@ search = `cloudtrail` (errorCode=MalformedPolicyDocumentException) status=failur action.escu = 0 action.escu.enabled = 1 description = The following detection identifes when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following detection identifes when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy. action.escu.how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. @@ -5609,7 +5609,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS IAM Delete Policy - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "mitre_attack": ["T1098"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -5626,7 +5626,7 @@ search = `cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com) | stat action.escu = 0 action.escu.enabled = 1 description = This detection identifies failure attempts to delete groups. We want to identify when a group is attempting to be deleted, but either access is denied, there is a conflict or there is no group. This is indicative of administrators performing an action, but also could be suspicious behavior occurring. Review parallel IAM events - recently added users, new groups and so forth. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection identifies failure attempts to delete groups. We want to identify when a group is attempting to be deleted, but either access is denied, there is a conflict or there is no group. This is indicative of administrators performing an action, but also could be suspicious behavior occurring. Review parallel IAM events - recently added users, new groups and so forth. action.escu.how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. @@ -5641,7 +5641,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS IAM Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ has had mulitple failures while attempting to delete groups from $src$ -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 5}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 5}] +action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "other", "risk_score": 5}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 5}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -5649,7 +5649,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS IAM Failure Group Deletion - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "mitre_attack": ["T1098"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -5666,7 +5666,7 @@ search = `cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorC action.escu = 0 action.escu.enabled = 1 description = The following query uses IAM events to track the success of a group being deleted on AWS. This is typically not indicative of malicious behavior, but a precurser to additional events thay may unfold. Review parallel IAM events - recently added users, new groups and so forth. Inversely, review failed attempts in a similar manner. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1069.003", "T1098", "T1069"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1069.003", "T1098", "T1069"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following query uses IAM events to track the success of a group being deleted on AWS. This is typically not indicative of malicious behavior, but a precurser to additional events thay may unfold. Review parallel IAM events - recently added users, new groups and so forth. Inversely, review failed attempts in a similar manner. action.escu.how_to_implement = The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. @@ -5684,7 +5684,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS IAM Successful Group Deletion - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "mitre_attack": ["T1069.003", "T1098", "T1069"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1069.003", "T1098", "T1069"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -5701,7 +5701,7 @@ search = `cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorC action.escu = 0 action.escu.enabled = 1 description = This analytic is designed to detect IAM users attempting to update/modify AWS lambda code via the AWS CLI to gain persistence, futher access into your AWS environment and to facilitate planting backdoors. In this instance, an attacker may upload malicious code/binary to a lambda function which will be executed automatically when the funnction is triggered. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic is designed to detect IAM users attempting to update/modify AWS lambda code via the AWS CLI to gain persistence, futher access into your AWS environment and to facilitate planting backdoors. In this instance, an attacker may upload malicious code/binary to a lambda function which will be executed automatically when the funnction is triggered. action.escu.how_to_implement = You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment. @@ -5719,7 +5719,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Lambda UpdateFunctionCode - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud User Activities"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud User Activities"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -5736,7 +5736,7 @@ search = `cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionC action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an attempt to disable multi-factor authentication for an AWS IAM user. An adversary who has obtained access to an AWS tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an attempt to disable multi-factor authentication for an AWS IAM user. An adversary who has obtained access to an AWS tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. action.escu.how_to_implement = The Splunk AWS Add-on is required to utilize this data. The search requires AWS Cloudtrail logs. @@ -5751,7 +5751,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user_name$ has disabled Multi-Factor authentication for AWS account $aws_account_id$ -action.risk.param._risk = [{"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "user_name", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 64}] +action.risk.param._risk = [{"risk_object_field": "aws_account_id", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "user_name", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "src", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -5759,7 +5759,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Multi-Factor Authentication Disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -5782,7 +5782,7 @@ search = `cloudtrail` (eventName= DeleteVirtualMFADevice OR eventName=Deactivate action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies multiple failed multi-factor authentication requests to an AWS Console for a single user. AWS Cloudtrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. AWS Environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1621"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1621"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies multiple failed multi-factor authentication requests to an AWS Console for a single user. AWS Cloudtrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. AWS Environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. action.escu.how_to_implement = The Splunk AWS Add-on is required to utilize this data. The search requires AWS Cloudtrail logs. @@ -5797,7 +5797,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user_name$ is seen to have high number of MFA prompt failures within a short period of time. -action.risk.param._risk = [{"risk_object_field": "user_name", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 64}] +action.risk.param._risk = [{"risk_object_field": "user_name", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "src", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -5805,7 +5805,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Multiple Failed MFA Requests For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1586", "T1586.003", "T1621"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1621"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -5822,7 +5822,7 @@ search = `cloudtrail` eventName= ConsoleLogin "additionalEventData.MFAUsed"=Yes action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies one source Ip failing to authenticate into the AWS Console with 30 unique valid users within 10 minutes. This behavior could represent an adversary performing a Password Spraying attack against an AWS environment tenant to obtain initial access or elevate privileges. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies one source Ip failing to authenticate into the AWS Console with 30 unique valid users within 10 minutes. This behavior could represent an adversary performing a Password Spraying attack against an AWS environment tenant to obtain initial access or elevate privileges. action.escu.how_to_implement = You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment. @@ -5837,7 +5837,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover", "Compromised User Account"] action.risk = 1 action.risk.param._risk_message = Multiple failed console login attempts against users $tried_accounts$ seen from $src_ip$ -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 54}, {"risk_object_field": "tried_accounts", "risk_object_type": "user", "risk_score": 54}] +action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 54}, {"risk_object_field": "tried_accounts", "risk_object_type": "user", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -5845,7 +5845,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "mitre_attack": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -5862,7 +5862,7 @@ search = `cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _t action.escu = 0 action.escu.enabled = 1 description = The search looks for AWS CloudTrail events to detect if any network ACLs were created with all the ports open to a specified CIDR. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The search looks for AWS CloudTrail events to detect if any network ACLs were created with all the ports open to a specified CIDR. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS, version 4.4.0 or later, and configure your AWS CloudTrail inputs. @@ -5877,7 +5877,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Network ACL Activity"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ has created network ACLs with all the ports open to a specified CIDR $requestParameters.cidrBlock$ -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 48}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 48}] +action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "other", "risk_score": 48}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -5885,7 +5885,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Network Access Control List Created with All Open Ports - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Network ACL Activity"], "cis20": ["CIS 13"], "confidence": 80, "impact": 60, "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Network ACL Activity"], "cis20": ["CIS 13"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -5908,7 +5908,7 @@ search = `cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetwor action.escu = 0 action.escu.enabled = 1 description = Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the AWS console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the AWS CloudTrail logs to detect users deleting network ACLs. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the AWS console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the AWS CloudTrail logs to detect users deleting network ACLs. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. @@ -5923,7 +5923,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Network ACL Activity"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ from $src$ has sucessfully deleted network ACLs entry (eventName= $eventName$), such that the instance is accessible from anywhere -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 5}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 5}] +action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "other", "risk_score": 5}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 5}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -5931,7 +5931,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Network Access Control List Deleted - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Network ACL Activity"], "cis20": ["CIS 13"], "confidence": 50, "impact": 10, "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Network ACL Activity"], "cis20": ["CIS 13"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -5948,7 +5948,7 @@ search = `cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=f action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the registration of a new Multi Factor authentication method for an AWS account. Adversaries who have obtained unauthorized access to an AWS account may register a new MFA method to maintain persistence. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the registration of a new Multi Factor authentication method for an AWS account. Adversaries who have obtained unauthorized access to an AWS account may register a new MFA method to maintain persistence. action.escu.how_to_implement = You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail logs. @@ -5963,7 +5963,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = A new virtual device $virtualMFADeviceName$ is added to user $user_arn$ -action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 64}] +action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -5971,7 +5971,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS New MFA Method Registered For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -5994,7 +5994,7 @@ search = `cloudtrail` eventName=CreateVirtualMFADevice | stats count values(req action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised. action.escu.how_to_implement = You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -6012,7 +6012,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Password Policy Changes - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "mitre_attack": ["T1201"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -6029,7 +6029,7 @@ search = `cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPas action.escu = 0 action.escu.enabled = 1 description = This correlation search looks at the risk events created by the detection analytics related Collection and Exfiltration techniques used by adversaries. The rule is designed to identify instances where 2 or more analytics unique AWS analytics and 2 or more distinct mitre IDs has triggered for a particular risk object. This alert when triggered may indicate a potential exfiltration in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1537"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.AE"]} action.escu.data_models = ["Risk"] action.escu.eli5 = This correlation search looks at the risk events created by the detection analytics related Collection and Exfiltration techniques used by adversaries. The rule is designed to identify instances where 2 or more analytics unique AWS analytics and 2 or more distinct mitre IDs has triggered for a particular risk object. This alert when triggered may indicate a potential exfiltration in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information. action.escu.how_to_implement = You must enable all the detection searches in the Data Exfiltration Analytic story to create risk events in Enterprise Security. @@ -6047,7 +6047,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RIR - AWS S3 Exfiltration Behavior Identified - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Instance Activities", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "mitre_attack": ["T1537"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Instance Activities", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -6070,7 +6070,7 @@ search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_ action.escu = 0 action.escu.enabled = 1 description = This search provides specific SAML access from specific Service Provider, user and targeted principal at AWS. This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides specific SAML access from specific Service Provider, user and targeted principal at AWS. This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs @@ -6085,7 +6085,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Cloud Federated Credential Abuse"] action.risk = 1 action.risk.param._risk_message = From IP address $sourceIPAddress$, user agent $userAgent$ has trigged an event $eventName$ for account ID $recipientAccountId$ -action.risk.param._risk = [{"risk_object_field": "sourceIPAddress", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "recipientAccountId", "risk_object_type": "other", "risk_score": 64}] +action.risk.param._risk = [{"risk_object_field": "sourceIPAddress", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "recipientAccountId", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -6093,7 +6093,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS SAML Access by Provider User and Principal - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cloud Federated Credential Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Cloud Federated Credential Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -6110,7 +6110,7 @@ search = `cloudtrail` eventName=Assumerolewithsaml | stats count min(_time) as f action.escu = 0 action.escu.enabled = 1 description = This search provides detection of updates to SAML provider in AWS. Updates to SAML provider need to be monitored closely as they may indicate possible perimeter compromise of federated credentials, or backdoor access from another cloud provider set by attacker. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search provides detection of updates to SAML provider in AWS. Updates to SAML provider need to be monitored closely as they may indicate possible perimeter compromise of federated credentials, or backdoor access from another cloud provider set by attacker. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -6125,7 +6125,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Cloud Federated Credential Abuse"] action.risk = 1 action.risk.param._risk_message = User $userIdentity.principalId$ from IP address $sourceIPAddress$ has trigged an event $eventName$ to update the SAML provider to $requestParameters.sAMLProviderArn$ -action.risk.param._risk = [{"risk_object_field": "sourceIPAddress", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "userIdentity.principalId", "risk_object_type": "user", "risk_score": 64}] +action.risk.param._risk = [{"risk_object_field": "sourceIPAddress", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "userIdentity.principalId", "risk_object_type": "user", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -6133,7 +6133,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS SAML Update identity provider - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cloud Federated Credential Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1078"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Cloud Federated Credential Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -6156,7 +6156,7 @@ search = `cloudtrail` eventName=UpdateSAMLProvider | stats count min(_time) as f action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events where a user has set a default policy versions. Attackers have been know to use this technique for Privilege Escalation in case the previous versions of the policy had permissions to access more resources than the current version of the policy -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where a user has set a default policy versions. Attackers have been know to use this technique for Privilege Escalation in case the previous versions of the policy had permissions to access more resources than the current version of the policy action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -6171,7 +6171,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS IAM Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = From IP address $src$, user $user_arn$ has trigged an event $eventName$ for updating the the default policy version -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 30}] +action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -6179,7 +6179,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS SetDefaultPolicyVersion - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -6202,7 +6202,7 @@ search = `cloudtrail` eventName=SetDefaultPolicyVersion eventSource = iam.amazon action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an AWS account successfully authenticating from more than one unique Ip address in the span of 5 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1535"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1535"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an AWS account successfully authenticating from more than one unique Ip address in the span of 5 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. action.escu.how_to_implement = You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail events are normalized use the Authentication datamodel. @@ -6217,7 +6217,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious AWS Login Activities", "Compromised User Account"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ has successfully logged into the AWS Console from different IP addresses $src_ip$ within 5 mins -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 72}] +action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 72}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -6225,7 +6225,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Successful Console Authentication From Multiple IPs - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS Login Activities", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "mitre_attack": ["T1586", "T1535"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS Login Activities", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1535"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -6242,7 +6242,7 @@ search = `cloudtrail` eventName = ConsoleLogin | bin span=5m _time | stats valu action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a successful Console Login authentication event against an AWS IAM user for an account without Multi-Factor Authentication enabled. This could be evidence of a misconfiguration, a policy violation or an account take over attempt that should be investigated -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a successful Console Login authentication event against an AWS IAM user for an account without Multi-Factor Authentication enabled. This could be evidence of a misconfiguration, a policy violation or an account take over attempt that should be investigated action.escu.how_to_implement = The Splunk AWS Add-on is required to utilize this data. The search requires AWS Cloudtrail logs. @@ -6257,7 +6257,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user_name$ has successfully logged into an AWS Console without Multi-Factor Authentication from $src$ -action.risk.param._risk = [{"risk_object_field": "user_name", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 64}] +action.risk.param._risk = [{"risk_object_field": "user_name", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "src", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -6265,7 +6265,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Successful Single-Factor Authentication - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -6288,7 +6288,7 @@ search = `cloudtrail` eventName= ConsoleLogin errorCode=success "additionalEvent action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies one source IP failing to authenticate into the AWS Console with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an AWS environment to obtain initial access or elevate privileges. The detection calculates the standard deviation for source IP and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the bucket span time and the calculation of the upperBound field. This logic can be used for real time security monitoring as well as threat hunting exercises. While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `AWS Multiple Users Failing To Authenticate From Ip`. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies one source IP failing to authenticate into the AWS Console with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an AWS environment to obtain initial access or elevate privileges. The detection calculates the standard deviation for source IP and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the bucket span time and the calculation of the upperBound field. This logic can be used for real time security monitoring as well as threat hunting exercises. While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `AWS Multiple Users Failing To Authenticate From Ip`. action.escu.how_to_implement = You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the calculation of the upperBound field to tune this search according to their environment @@ -6303,7 +6303,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS Identity and Access Management Account Takeover"] action.risk = 1 action.risk.param._risk_message = Unusual number of failed console login attempts against users $tried_accounts$ seen from $src_ip$ -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 54}, {"risk_object_field": "tried_accounts", "risk_object_type": "user", "risk_score": 54}] +action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 54}, {"risk_object_field": "tried_accounts", "risk_object_type": "user", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -6311,7 +6311,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS Unusual Number of Failed Authentications From Ip - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -6328,7 +6328,7 @@ search = `cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _t action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events where a user A who has already permission to update login profile, makes an API call to update login profile for another user B . Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B) -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where a user A who has already permission to update login profile, makes an API call to update login profile for another user B . Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B) action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -6343,7 +6343,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["AWS IAM Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = From IP address $src$, user agent $userAgent$ has trigged an event $eventName$ for updating the existing login profile, potentially giving user $user_arn$ more access privilleges -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 30}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 30}] +action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -6351,7 +6351,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AWS UpdateLoginProfile - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS IAM Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -6374,7 +6374,7 @@ search = `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazon action.escu = 0 action.escu.enabled = 1 description = The following analytic triggers on a high risk sign-in against Azure Active Directory identified by Azure Identity Protection. Identity Protection monitors sign-in events using heuristics and machine learning to identify potentially malicious events and categorizes them in three categories high, medium and low. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Risk"] action.escu.eli5 = The following analytic triggers on a high risk sign-in against Azure Active Directory identified by Azure Identity Protection. Identity Protection monitors sign-in events using heuristics and machine learning to identify potentially malicious events and categorizes them in three categories high, medium and low. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the RiskyUsers and UserRiskEvents log category in the azure:monitor:aad sourcetype. @@ -6389,7 +6389,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = A high risk event was identified by Identify Protection for user $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 54}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -6397,7 +6397,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure Active Directory High Risk Sign-in - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -6416,11 +6416,57 @@ realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` category=UserRiskEvents properties.riskLevel=high | rename properties.* as * | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, activity, riskLevel, riskEventType, additionalInfo | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_active_directory_high_risk_sign_in_filter` +[ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = This detection focuses on identifying instances in Azure Active Directory where a service principal assigns app roles without standard admin consent, using Entra ID logs. It operates on the azure_monitor_aad data source, scrutinizing the "Add app role assignment to service principal" operation, specifically from service principals. The query dissects details such as role ID, value, and description, important for understanding the nature of the roles being assigned. Monitoring this in a SOC is critical as it flags potential bypasses of vital administrative consent processes in Azure AD, which could result in unauthorized privileges being granted. A true positive detection suggests that a service principal may be exploiting automation to assign sensitive permissions without proper oversight. +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} +action.escu.data_models = [] +action.escu.eli5 = This detection focuses on identifying instances in Azure Active Directory where a service principal assigns app roles without standard admin consent, using Entra ID logs. It operates on the azure_monitor_aad data source, scrutinizing the "Add app role assignment to service principal" operation, specifically from service principals. The query dissects details such as role ID, value, and description, important for understanding the nature of the roles being assigned. Monitoring this in a SOC is critical as it flags potential bypasses of vital administrative consent processes in Azure AD, which could result in unauthorized privileges being granted. A true positive detection suggests that a service principal may be exploiting automation to assign sensitive permissions without proper oversight. +action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlog log category +action.escu.known_false_positives = Service Principals are sometimes configured to legitimately bypass the consent process for purposes of automation. Filter as needed. +action.escu.creation_date = 2024-02-09 +action.escu.modification_date = 2024-02-09 +action.escu.confidence = high +action.escu.full_search_name = ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["Azure Active Directory Privilege Escalation", "NOBELIUM Group"] +action.risk = 1 +action.risk.param._risk_message = Service principal $src_user$ bypassed the admin consent process and granted permissions to $dest_user$ +action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "other", "risk_score": 54}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - Azure AD Admin Consent Bypassed by Service Principal - Rule +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} +schedule_window = auto +action.notable = 1 +action.notable.param.nes_fields = user,dest +action.notable.param.rule_description = This detection focuses on identifying instances in Azure Active Directory where a service principal assigns app roles without standard admin consent, using Entra ID logs. It operates on the azure_monitor_aad data source, scrutinizing the "Add app role assignment to service principal" operation, specifically from service principals. The query dissects details such as role ID, value, and description, important for understanding the nature of the roles being assigned. Monitoring this in a SOC is critical as it flags potential bypasses of vital administrative consent processes in Azure AD, which could result in unauthorized privileges being granted. A true positive detection suggests that a service principal may be exploiting automation to assign sensitive permissions without proper oversight. +action.notable.param.rule_title = Azure AD Admin Consent Bypassed by Service Principal +action.notable.param.security_domain = identity +action.notable.param.severity = high +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = `azure_monitor_aad` operationName="Add app role assignment to service principal" src_user_type=servicePrincipal | rename properties.* as * | eval roleId = mvindex('targetResources{}.modifiedProperties{}.newValue', 0) | eval roleValue = mvindex('targetResources{}.modifiedProperties{}.newValue', 1) | eval roleDescription = mvindex('targetResources{}.modifiedProperties{}.newValue', 2) | eval dest_user = mvindex('targetResources{}.id', 0) | rename initiatedBy.app.displayName as src_user | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user dest_user roleId roleValue roleDescription | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_admin_consent_bypassed_by_service_principal_filter` + [ESCU - Azure AD Application Administrator Role Assigned - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the applications identity. If the applications identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. Red teams and adversaries alike may abuse this role to escalate their privileges in an Azure AD tenant. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the applications identity. If the applications identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. Red teams and adversaries alike may abuse this role to escalate their privileges in an Azure AD tenant. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlog log category @@ -6435,7 +6481,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = The privileged Azure AD role Application Administrator was assigned for User $user$ initiated by $initiatedBy$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "initiatedBy", "risk_object_type": "user", "risk_score": 35}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -6443,7 +6489,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Application Administrator Role Assigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -6466,7 +6512,7 @@ search = `azure_monitor_aad` "operationName"="Add member to role" "properties action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an authentication attempt event against an Azure AD tenant that fails during the Multi Factor Authentication challenge. Error Code 500121 represents a failed attempt to authenticate using a second factor. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an authentication attempt event against an Azure AD tenant that fails during the Multi Factor Authentication challenge. Error Code 500121 represents a failed attempt to authenticate using a second factor. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. @@ -6481,7 +6527,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ failed to pass MFA challenge -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 54}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -6489,7 +6535,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Authentication Failed During MFA Challenge - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -6512,7 +6558,7 @@ search = `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50 action.escu = 0 action.escu.enabled = 1 description = This analytic detects when the risk-based step-up consent security setting in Azure AD is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative step-up for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Risk"] action.escu.eli5 = This analytic detects when the risk-based step-up consent security setting in Azure AD is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative step-up for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. @@ -6527,7 +6573,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ disabled the BlockUserConsentForRiskyApps Azure AD setting. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -6535,7 +6581,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Block User Consent For Risky Apps Disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "mitre_attack": ["T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -6558,7 +6604,7 @@ search = `azure_monitor_aad` operationName="Update authorization policy" | renam action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an Azure AD account with concurrent sessions coming from more than one unique Ip address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an Azure AD account with concurrent sessions coming from more than one unique Ip address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. @@ -6573,7 +6619,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Compromised User Account", "Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ has concurrent sessions from more than one unique IP address in the span of 5 minutes. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 42}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -6581,7 +6627,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Concurrent Sessions From Different Ips - Rule -action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1185"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -6604,7 +6650,7 @@ search = `azure_monitor_aad` properties.authenticationDetails{}.succeeded=true action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the execution of the Azure Device Code Phishing attack, which can lead to Azure Account Take-Over (ATO). The detection leverages Azure AD logs specifically focusing on authentication requests to identify the attack. This technique involves creating malicious infrastructure, bypassing Multi-Factor Authentication (MFA), and bypassing Conditional Access Policies (CAPs). The attack aims to compromise users by sending them phishing emails from attacker-controlled domains and trick the victims into performing OAuth 2.0 device authentication. A successful execution of this attack can result in adversaries gaining unauthorized access to Azure AD, Exchange mailboxes, and the target's Outlook Web Application (OWA). This attack technique was detailed by security researchers including Bobby Cooke, Stephan Borosh, and others. It's crucial for organizations to be aware of this threat, as it can lead to unauthorized access and potential data breaches. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1528", "T1566", "T1566.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery"], "mitre_attack": ["T1528", "T1566", "T1566.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the execution of the Azure Device Code Phishing attack, which can lead to Azure Account Take-Over (ATO). The detection leverages Azure AD logs specifically focusing on authentication requests to identify the attack. This technique involves creating malicious infrastructure, bypassing Multi-Factor Authentication (MFA), and bypassing Conditional Access Policies (CAPs). The attack aims to compromise users by sending them phishing emails from attacker-controlled domains and trick the victims into performing OAuth 2.0 device authentication. A successful execution of this attack can result in adversaries gaining unauthorized access to Azure AD, Exchange mailboxes, and the target's Outlook Web Application (OWA). This attack technique was detailed by security researchers including Bobby Cooke, Stephan Borosh, and others. It's crucial for organizations to be aware of this threat, as it can lead to unauthorized access and potential data breaches. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. @@ -6619,7 +6665,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = Device code requested for $user$ from $src_ip$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 35}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -6627,7 +6673,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Device Code Authentication - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "mitre_attack": ["T1528", "T1566", "T1566.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery"], "mitre_attack": ["T1528", "T1566", "T1566.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -6650,7 +6696,7 @@ search = `azure_monitor_aad` category=SignInLogs "properties.authenticationProto action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the invitation of an external guest user within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities` -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1136.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the invitation of an external guest user within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities` action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. @@ -6665,7 +6711,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Persistence"] action.risk = 1 action.risk.param._risk_message = External Guest User $user$ initiated by $initiatedBy$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "initiatedBy", "risk_object_type": "user", "risk_score": 45}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -6673,7 +6719,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD External Guest User Invited - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "mitre_attack": ["T1136.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -6692,11 +6738,57 @@ realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` operationName="Invite external user" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.type as type | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by type, initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_external_guest_user_invited_filter` +[ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = The following analytic identifies when the 'full_access_as_app' permission, marked by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', is assigned to an application within Office 365 Exchange Online, identified by ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. This permission grants broad control over Office 365 operations, including full access to all mailboxes and the capability to send emails as any user. The query utilizes the azure_monitor_aad data source, focusing on AuditLogs with the operation name 'Update application'. This monitoring is crucial for early detection of potential unauthorized access or data exfiltration, as the 'full_access_as_app' permission could lead to significant security incidents if exploited. +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.002", "T1098.003"], "nist": ["DE.CM"]} +action.escu.data_models = [] +action.escu.eli5 = The following analytic identifies when the 'full_access_as_app' permission, marked by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', is assigned to an application within Office 365 Exchange Online, identified by ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. This permission grants broad control over Office 365 operations, including full access to all mailboxes and the capability to send emails as any user. The query utilizes the azure_monitor_aad data source, focusing on AuditLogs with the operation name 'Update application'. This monitoring is crucial for early detection of potential unauthorized access or data exfiltration, as the 'full_access_as_app' permission could lead to significant security incidents if exploited. +action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. +action.escu.known_false_positives = The full_access_as_app API permission may be assigned to legitimate applications. Filter as needed. +action.escu.creation_date = 2024-01-29 +action.escu.modification_date = 2024-01-29 +action.escu.confidence = high +action.escu.full_search_name = ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["Azure Active Directory Persistence", "NOBELIUM Group"] +action.risk = 1 +action.risk.param._risk_message = User $user$ assigned the full_access_as_app permission to the app registration $object$ +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 48}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - Azure AD FullAccessAsApp Permission Assigned - Rule +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.002", "T1098.003"], "nist": ["DE.CM"]} +schedule_window = auto +action.notable = 1 +action.notable.param.nes_fields = user,dest +action.notable.param.rule_description = The following analytic identifies when the 'full_access_as_app' permission, marked by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', is assigned to an application within Office 365 Exchange Online, identified by ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. This permission grants broad control over Office 365 operations, including full access to all mailboxes and the capability to send emails as any user. The query utilizes the azure_monitor_aad data source, focusing on AuditLogs with the operation name 'Update application'. This monitoring is crucial for early detection of potential unauthorized access or data exfiltration, as the 'full_access_as_app' permission could lead to significant security incidents if exploited. +action.notable.param.rule_title = Azure AD FullAccessAsApp Permission Assigned +action.notable.param.security_domain = threat +action.notable.param.severity = high +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = `azure_monitor_aad` category=AuditLogs operationName="Update application" | eval newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0) | spath input=newvalue | search "{}.ResourceAppId"="00000002-0000-0ff1-ce00-000000000000" "{}.RequiredAppPermissions{}.EntitlementId"="dc890d15-9560-4a4c-9b7f-a736ec74ec40" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_fullaccessasapp_permission_assigned_filter` + [ESCU - Azure AD Global Administrator Role Assigned - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the assignment of the Azure AD Global Administrator role to an Azure AD user. The Global Administrator role is the most powerful administrator role in Azure AD and provides almost unlimited access to data, resources and settings. It is equivalent to the Domain Administrator group in an Active Directory environment. While Azure AD roles do not grant access to Azure services and resources, it is possible for a Global Administrator account to gain control of Azure resources. Adversaries and red teams alike may assign this role to a compromised account to establish Persistence or escalate their privileges in an Azure AD environment. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the assignment of the Azure AD Global Administrator role to an Azure AD user. The Global Administrator role is the most powerful administrator role in Azure AD and provides almost unlimited access to data, resources and settings. It is equivalent to the Domain Administrator group in an Active Directory environment. While Azure AD roles do not grant access to Azure services and resources, it is possible for a Global Administrator account to gain control of Azure resources. Adversaries and red teams alike may assign this role to a compromised account to establish Persistence or escalate their privileges in an Azure AD environment. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. @@ -6711,7 +6803,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = Global Administrator Role assigned for User $user$ initiated by $initiatedBy$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}, {"risk_object_field": "initiatedBy", "risk_object_type": "user", "risk_score": 72}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -6719,7 +6811,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Global Administrator Role Assigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -6742,7 +6834,7 @@ search = `azure_monitor_aad` operationName="Add member to role" properties.tar action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an Azure AD account with more than 20 failed authentication events in the span of 10 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1110", "T1110.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an Azure AD account with more than 20 failed authentication events in the span of 10 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. @@ -6765,7 +6857,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD High Number Of Failed Authentications For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "mitre_attack": ["T1110", "T1110.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -6788,7 +6880,7 @@ search = `azure_monitor_aad` category= SignInLogs properties.status.errorCode=5 action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an Ip address failing to authenticate 20 or more times to an Azure AD tenant in the span of 10 minutes. This behavior could represent a brute force attack againstan Azure AD to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an Ip address failing to authenticate 20 or more times to an Azure AD tenant in the span of 10 minutes. This behavior could represent a brute force attack againstan Azure AD to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. @@ -6800,10 +6892,10 @@ action.escu.full_search_name = ESCU - Azure AD High Number Of Failed Authenticat action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Compromised User Account", "Azure Active Directory Account Takeover"] +action.escu.analytic_story = ["Compromised User Account", "Azure Active Directory Account Takeover", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = $src_ip$ failed to authenticate more than 20 times in the span of 10 minutes minutes. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 35}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -6811,7 +6903,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule -action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "mitre_attack": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -6834,7 +6926,7 @@ search = `azure_monitor_aad` category= SignInLogs properties.status.errorCode=5 action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an attempt to disable multi-factor authentication for an Azure AD user. An adversary who has obtained access to an Azure AD tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = The following analytic identifies an attempt to disable multi-factor authentication for an Azure AD user. An adversary who has obtained access to an Azure AD tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. @@ -6849,7 +6941,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = MFA disabled for User $user$ initiated by $initiatedBy$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "initiatedBy", "risk_object_type": "user", "risk_score": 45}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -6857,7 +6949,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Multi-Factor Authentication Disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "mitre_attack": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -6880,7 +6972,7 @@ search = `azure_monitor_aad` category=AuditLogs operationName="Disable Strong Au action.escu = 0 action.escu.enabled = 1 description = This analytic detects potential distributed password spraying attacks within an Azure AD environment. It identifies a notable increase in failed authentication attempts across a variety of unique user-and-IP address combinations, originating from multiple source IP addresses and countries, and employing different user agents. Such patterns suggest an adversary's attempt to bypass security controls by using a range of IP addresses to test commonly used passwords against numerous user accounts. The detection scrutinizes SignInLogs from Azure AD logs, particularly focusing on events with error code 50126, which signals a failed authentication due to incorrect credentials. By collating data over a five-minute interval, the analytic computes the distinct counts of user-and-IP combinations, unique users, source IPs, and countries. It then applies a set of thresholds to these metrics to pinpoint unusual activities that could indicate a coordinated attack effort. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Recognizing this behavior is vital for security operations centers (SOCs) as distributed password spraying represents a more complex form of traditional password spraying. Attackers distribute the source of their attempts to evade detection mechanisms that typically monitor for single-source IP anomalies. Prompt detection of such distributed activities is essential to thwart unauthorized access attempts, prevent account compromises, and mitigate the risk of further malicious activities within the organization's network. A true positive alert from this analytic suggests an active distributed password spraying attack against the organization's Azure AD tenant. A successful attack could result in unauthorized access, particularly to accounts with elevated privileges, leading to data breaches, privilege escalation, persistent threats, and lateral movement within the organization's infrastructure. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic detects potential distributed password spraying attacks within an Azure AD environment. It identifies a notable increase in failed authentication attempts across a variety of unique user-and-IP address combinations, originating from multiple source IP addresses and countries, and employing different user agents. Such patterns suggest an adversary's attempt to bypass security controls by using a range of IP addresses to test commonly used passwords against numerous user accounts. The detection scrutinizes SignInLogs from Azure AD logs, particularly focusing on events with error code 50126, which signals a failed authentication due to incorrect credentials. By collating data over a five-minute interval, the analytic computes the distinct counts of user-and-IP combinations, unique users, source IPs, and countries. It then applies a set of thresholds to these metrics to pinpoint unusual activities that could indicate a coordinated attack effort. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Recognizing this behavior is vital for security operations centers (SOCs) as distributed password spraying represents a more complex form of traditional password spraying. Attackers distribute the source of their attempts to evade detection mechanisms that typically monitor for single-source IP anomalies. Prompt detection of such distributed activities is essential to thwart unauthorized access attempts, prevent account compromises, and mitigate the risk of further malicious activities within the organization's network. A true positive alert from this analytic suggests an active distributed password spraying attack against the organization's Azure AD tenant. A successful attack could result in unauthorized access, particularly to accounts with elevated privileges, leading to data breaches, privilege escalation, persistent threats, and lateral movement within the organization's infrastructure. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. @@ -6892,13 +6984,13 @@ action.escu.full_search_name = ESCU - Azure AD Multi-Source Failed Authenticatio action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Azure Active Directory Account Takeover"] +action.escu.analytic_story = ["Azure Active Directory Account Takeover", "NOBELIUM Group"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -6915,7 +7007,7 @@ search = `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50 action.escu = 0 action.escu.enabled = 1 description = This analytic is crafted to identify unusual and potentially malicious authentication activity within an Azure AD environment. It triggers when a single user account is involved in more than 8 authentication attempts, using 3 or more unique application IDs and more than 5 unique user agents within a short timeframe. This pattern is atypical for regular user behavior and may indicate an adversary's attempt to probe the environment, testing for multi-factor authentication requirements across different applications and platforms. The detection is based on analysis of Azure AD audit logs, specifically focusing on authentication events. It employs statistical thresholds to highlight instances where the volume of authentication attempts and the diversity of application IDs and user agents associated with a single user account exceed normal parameters. Identifying this behavior is crucial as it provides an early indication of potential account compromise. Adversaries, once in possession of user credentials, often conduct reconnaissance to understand the security controls in place, including multi-factor authentication configurations. Tools like Invoke-MFASweep are commonly used for this purpose, automating the process of testing different user agents and application IDs to bypass MFA. By detecting these initial probing attempts, security teams can swiftly respond, potentially stopping an attack in its early stages and preventing further unauthorized access. This proactive stance is vital for maintaining the integrity of the organization's security posture. If validated as a true positive, this detection points to a compromised account, signaling that an attacker is actively attempting to navigate security controls to maintain access and potentially escalate privileges. This could lead to further exploitation, lateral movement within the network, and eventual data exfiltration. Recognizing and responding to this early stage of an attack is vital for preventing substantial harm and safeguarding sensitive organizational data and systems. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This analytic is crafted to identify unusual and potentially malicious authentication activity within an Azure AD environment. It triggers when a single user account is involved in more than 8 authentication attempts, using 3 or more unique application IDs and more than 5 unique user agents within a short timeframe. This pattern is atypical for regular user behavior and may indicate an adversary's attempt to probe the environment, testing for multi-factor authentication requirements across different applications and platforms. The detection is based on analysis of Azure AD audit logs, specifically focusing on authentication events. It employs statistical thresholds to highlight instances where the volume of authentication attempts and the diversity of application IDs and user agents associated with a single user account exceed normal parameters. Identifying this behavior is crucial as it provides an early indication of potential account compromise. Adversaries, once in possession of user credentials, often conduct reconnaissance to understand the security controls in place, including multi-factor authentication configurations. Tools like Invoke-MFASweep are commonly used for this purpose, automating the process of testing different user agents and application IDs to bypass MFA. By detecting these initial probing attempts, security teams can swiftly respond, potentially stopping an attack in its early stages and preventing further unauthorized access. This proactive stance is vital for maintaining the integrity of the organization's security posture. If validated as a true positive, this detection points to a compromised account, signaling that an attacker is actively attempting to navigate security controls to maintain access and potentially escalate privileges. This could lead to further exploitation, lateral movement within the network, and eventual data exfiltration. Recognizing and responding to this early stage of an attack is vital for preventing substantial harm and safeguarding sensitive organizational data and systems. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. @@ -6938,7 +7030,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Multiple AppIDs and UserAgents Authentication Spike - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -6955,7 +7047,7 @@ search = `azure_monitor_aad` category=SignInLogs operationName="Sign-in activit action.escu = 0 action.escu.enabled = 1 description = This analytic targets the detection of an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically identifying instances where more than nine MFA prompts were declined by the user. Utilizing Azure Active Directory (Azure AD) sign-in logs, particularly focusing on "Sign-in activity" events, it filters for scenarios where the MFA request was denied due to the user declining the authentication, as indicated by error code 500121 and additional details stating "MFA denied; user declined the authentication." The data is then aggregated into 10-minute intervals, counting distinct raw events and capturing the earliest and latest times of occurrence for each user. This behavior is significant for a Security Operations Center (SOC) as it could be an early indicator of a targeted attack or an account compromise attempt, with an attacker having obtained the user's credentials and the user actively declining the MFA prompts, preventing unauthorized access. A true positive detection would imply that an attacker is on the verge of gaining full access to the user's account, posing a threat that could lead to data exfiltration, lateral movement, or further malicious activities within the organization, necessitating immediate investigation and response to safeguard the organization's assets. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic targets the detection of an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically identifying instances where more than nine MFA prompts were declined by the user. Utilizing Azure Active Directory (Azure AD) sign-in logs, particularly focusing on "Sign-in activity" events, it filters for scenarios where the MFA request was denied due to the user declining the authentication, as indicated by error code 500121 and additional details stating "MFA denied; user declined the authentication." The data is then aggregated into 10-minute intervals, counting distinct raw events and capturing the earliest and latest times of occurrence for each user. This behavior is significant for a Security Operations Center (SOC) as it could be an early indicator of a targeted attack or an account compromise attempt, with an attacker having obtained the user's credentials and the user actively declining the MFA prompts, preventing unauthorized access. A true positive detection would imply that an attacker is on the verge of gaining full access to the user's account, posing a threat that could lead to data exfiltration, lateral movement, or further malicious activities within the organization, necessitating immediate investigation and response to safeguard the organization's assets. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. @@ -6978,7 +7070,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Multiple Denied MFA Requests For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "mitre_attack": ["T1621"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -7001,7 +7093,7 @@ search = `azure_monitor_aad` category=SignInLogs operationName="Sign-in activity action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Azure AD tenant. Error Code 500121 represents a failed attempt to authenticate using a second factor. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. The reasons for these failure could be several, like the user not responding in time or receiving multiple duplicate MFA requests. Azure AD tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Azure AD tenant. Error Code 500121 represents a failed attempt to authenticate using a second factor. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. The reasons for these failure could be several, like the user not responding in time or receiving multiple duplicate MFA requests. Azure AD tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. @@ -7024,7 +7116,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Multiple Failed MFA Requests For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "mitre_attack": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -7043,12 +7135,92 @@ realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" properties.status.errorCode=500121 properties.status.additionalDetails!="MFA denied; user declined the authentication" | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent | where count > 9 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_failed_mfa_requests_for_user_filter` +[ESCU - Azure AD Multiple Service Principals Created by SP - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = This detection identifies when a single service principal in Azure AD creates more than three unique OAuth applications within a 10-minute span, potentially signaling malicious activity. It monitors the 'Add service principal' operation, focusing on the activity of service principals rather than individual users. By aggregating the creation events over a 10-minute period, the analytic tracks how many distinct OAuth applications are created by each service principal. This is key for SOC teams to pinpoint potential attack staging, where an attacker might use a compromised or malicious service principal to rapidly establish multiple service principals, facilitating network infiltration or expansion. While the default threshold is set to trigger on more than three applications, security teams should adjust this to fit their specific environment's norm +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} +action.escu.data_models = [] +action.escu.eli5 = This detection identifies when a single service principal in Azure AD creates more than three unique OAuth applications within a 10-minute span, potentially signaling malicious activity. It monitors the 'Add service principal' operation, focusing on the activity of service principals rather than individual users. By aggregating the creation events over a 10-minute period, the analytic tracks how many distinct OAuth applications are created by each service principal. This is key for SOC teams to pinpoint potential attack staging, where an attacker might use a compromised or malicious service principal to rapidly establish multiple service principals, facilitating network infiltration or expansion. While the default threshold is set to trigger on more than three applications, security teams should adjust this to fit their specific environment's norm +action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. +action.escu.known_false_positives = Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. +action.escu.creation_date = 2024-02-07 +action.escu.modification_date = 2024-02-07 +action.escu.confidence = high +action.escu.full_search_name = ESCU - Azure AD Multiple Service Principals Created by SP - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["Azure Active Directory Persistence", "NOBELIUM Group"] +action.risk = 1 +action.risk.param._risk_message = Multiple OAuth applications were created by $src_user$ in a short period of time +action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "other", "risk_score": 42}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - Azure AD Multiple Service Principals Created by SP - Rule +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} +schedule_window = auto +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = `azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.app.appId=* | rename properties.* as * | bucket span=10m _time | rename targetResources{}.displayName as displayName | rename targetResources{}.type as type | rename initiatedBy.app.displayName as src_user | stats min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_service_principals_created_by_sp_filter` + +[ESCU - Azure AD Multiple Service Principals Created by User - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = This detection focuses on identifying instances where a single user creates more than three unique OAuth applications within a 10-minute timeframe in Azure AD, a potential indicator of malicious activity. By monitoring the 'Add service principal' operation and aggregating the data with a 10-minute bucket span, it tracks the number of distinct OAuth applications created by each user. This analytic is crucial for SOC teams to detect possible staging of attacks, where an adversary might rapidly create multiple service principals as part of their infiltration or expansion strategy within the network. The threshold of three applications is set to flag unusual behavior, but security teams are advised to adjust this value to suit the normal operational patterns of their environment +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} +action.escu.data_models = [] +action.escu.eli5 = This detection focuses on identifying instances where a single user creates more than three unique OAuth applications within a 10-minute timeframe in Azure AD, a potential indicator of malicious activity. By monitoring the 'Add service principal' operation and aggregating the data with a 10-minute bucket span, it tracks the number of distinct OAuth applications created by each user. This analytic is crucial for SOC teams to detect possible staging of attacks, where an adversary might rapidly create multiple service principals as part of their infiltration or expansion strategy within the network. The threshold of three applications is set to flag unusual behavior, but security teams are advised to adjust this value to suit the normal operational patterns of their environment +action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. +action.escu.known_false_positives = Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. +action.escu.creation_date = 2024-02-07 +action.escu.modification_date = 2024-02-07 +action.escu.confidence = high +action.escu.full_search_name = ESCU - Azure AD Multiple Service Principals Created by User - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["Azure Active Directory Persistence", "NOBELIUM Group"] +action.risk = 1 +action.risk.param._risk_message = Multiple OAuth applications were created by $src_user$ in a short period of time +action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "other", "risk_score": 42}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - Azure AD Multiple Service Principals Created by User - Rule +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} +schedule_window = auto +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = `azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.user.id=* | rename properties.* as * | bucket span=10m _time | rename targetResources{}.displayName as displayName | stats min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multiple_service_principals_created_by_user_filter` + [ESCU - Azure AD Multiple Users Failing To Authenticate From Ip - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies one source Ip failing to authenticate with 30 unique valid users within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password. This logic can be used for real time security monitoring as well as threat hunting exercises.\ Azure AD tenants can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold if needed. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies one source Ip failing to authenticate with 30 unique valid users within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password. This logic can be used for real time security monitoring as well as threat hunting exercises.\ Azure AD tenants can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold if needed. @@ -7064,7 +7236,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = Source Ip $src_ip$ failed to authenticate with 30 users within 5 minutes. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 63}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -7072,7 +7244,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Multiple Users Failing To Authenticate From Ip - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -7089,7 +7261,7 @@ search = `azure_monitor_aad` category=SignInLogs properties.status.errorCode=5 action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the addition of a new custom domain within an Azure Active Directory tenant. Adding a custom domain is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1484", "T1484.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the addition of a new custom domain within an Azure Active Directory tenant. Adding a custom domain is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. @@ -7104,7 +7276,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Persistence"] action.risk = 1 action.risk.param._risk_message = A new custom domain, $domain$ , was added by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -7112,7 +7284,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD New Custom Domain Added - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "mitre_attack": ["T1484", "T1484.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -7135,7 +7307,7 @@ search = `azure_monitor_aad` operationName="Add unverified domain" properties. action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the addition of a new federated domain within an Azure Active Directory tenant. This event could represent the execution of the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1484", "T1484.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the addition of a new federated domain within an Azure Active Directory tenant. This event could represent the execution of the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. @@ -7150,7 +7322,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Persistence"] action.risk = 1 action.risk.param._risk_message = A new federated domain, $domain$ , was added by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 81}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -7158,7 +7330,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD New Federated Domain Added - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "mitre_attack": ["T1484", "T1484.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -7181,7 +7353,7 @@ search = `azure_monitor_aad` operationName="Set domain authentication" "proper action.escu = 0 action.escu.enabled = 1 description = This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Azure Active Directory by monitoring Azure AD audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Azure Active Directory by monitoring Azure AD audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. @@ -7204,7 +7376,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD New MFA Method Registered - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -7227,7 +7399,7 @@ search = `azure_monitor_aad` operationName="Update user" | rename properties.* action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the registration of a new Multi Factor authentication method for an Azure AD account. Adversaries who have obtained unauthorized access to an Azure AD account may register a new MFA method to maintain persistence. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the registration of a new Multi Factor authentication method for an Azure AD account. Adversaries who have obtained unauthorized access to an Azure AD account may register a new MFA method to maintain persistence. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. @@ -7242,7 +7414,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Compromised User Account", "Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = A new MFA method was registered for user $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 64}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -7250,7 +7422,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD New MFA Method Registered For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556", "T1556.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -7273,7 +7445,7 @@ search = `azure_monitor_aad` category=AuditLogs operationName="User registered action.escu = 0 action.escu.enabled = 1 description = This analytic detects when a user in an Azure AD environment grants consent to an OAuth application, capturing any consent granted regardless of the specific permissions requested. Utilizing Azure AD audit logs, it focuses on events related to OAuth application consents, alerting security teams to instances where users actively grant consent to applications. This monitoring is crucial as it highlights potential risks associated with third-party applications gaining access to organizational data, a tactic often exploited by malicious actors to gain unauthorized access. A true positive from this analytic necessitates immediate investigation to validate the application's legitimacy, review the granted permissions, and assess potential risks, helping to prevent unauthorized access and protect sensitive data and resources. While false positives may occur with legitimate application integrations, ensuring alignment with organizational policies and security best practices is paramount. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic detects when a user in an Azure AD environment grants consent to an OAuth application, capturing any consent granted regardless of the specific permissions requested. Utilizing Azure AD audit logs, it focuses on events related to OAuth application consents, alerting security teams to instances where users actively grant consent to applications. This monitoring is crucial as it highlights potential risks associated with third-party applications gaining access to organizational data, a tactic often exploited by malicious actors to gain unauthorized access. A true positive from this analytic necessitates immediate investigation to validate the application's legitimacy, review the granted permissions, and assess potential risks, helping to prevent unauthorized access and protect sensitive data and resources. While false positives may occur with legitimate application integrations, ensuring alignment with organizational policies and security best practices is paramount. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. @@ -7296,7 +7468,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD OAuth Application Consent Granted By User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1528"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -7319,7 +7491,7 @@ search = `azure_monitor_aad` operationName="Consent to application" properties.r action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. @@ -7342,7 +7514,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD PIM Role Assigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation", "Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation", "Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -7365,7 +7537,7 @@ search = `azure_monitor_aad` operationName="Add eligible member to role in PIM action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. @@ -7380,7 +7552,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Privilege Escalation", "Azure Active Directory Persistence"] action.risk = 1 action.risk.param._risk_message = An Azure AD PIM role assignment was activated by $initiatedBy$ by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -7388,7 +7560,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD PIM Role Assignment Activated - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation", "Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation", "Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -7411,7 +7583,7 @@ search = `azure_monitor_aad` operationName="Add member to role completed (PIM a action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the assignment of the Privileged Authentication Administrato role to an Azure AD user. Users in this role can set or reset authentication methods for any user in Azure Active Directory, including privileged roles like Global Administrators. Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to assume that users identity and permissions. Red teams and adversaries alike may abuse this role to escalate their privileges. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = The following analytic identifies the assignment of the Privileged Authentication Administrato role to an Azure AD user. Users in this role can set or reset authentication methods for any user in Azure Active Directory, including privileged roles like Global Administrators. Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to assume that users identity and permissions. Red teams and adversaries alike may abuse this role to escalate their privileges. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. @@ -7426,7 +7598,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Privilege Escalation"] action.risk = 1 action.risk.param._risk_message = The privileged Azure AD role Privileged Authentication Administrator was assigned for User $user$ initiated by $initiatedBy$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 50}, {"risk_object_field": "initiatedBy", "risk_object_type": "user", "risk_score": 50}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 50}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 50}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -7434,7 +7606,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Privileged Authentication Administrator Role Assigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -7453,11 +7625,57 @@ realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` "operationName"="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="\"Privileged Authentication Administrator\"" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_authentication_administrator_role_assigned_filter` +[ESCU - Azure AD Privileged Graph API Permission Assigned - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = This Splunk analytic flags the assignment of three high-risk Graph API permissions in Azure AD, Application.ReadWrite.All (1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions enable broad control over Azure AD, including application and directory settings. Utilizing azure_monitor_aad data, the query scans AuditLogs for 'Update application' operations, identifying when these permissions are assigned. It collects data on user, object, and user agent. Immediate attention is needed upon detection, as misuse of these permissions can lead to unauthorized Azure AD modifications and potential security breaches. +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} +action.escu.data_models = [] +action.escu.eli5 = This Splunk analytic flags the assignment of three high-risk Graph API permissions in Azure AD, Application.ReadWrite.All (1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions enable broad control over Azure AD, including application and directory settings. Utilizing azure_monitor_aad data, the query scans AuditLogs for 'Update application' operations, identifying when these permissions are assigned. It collects data on user, object, and user agent. Immediate attention is needed upon detection, as misuse of these permissions can lead to unauthorized Azure AD modifications and potential security breaches. +action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. +action.escu.known_false_positives = Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed. +action.escu.creation_date = 2024-01-30 +action.escu.modification_date = 2024-01-30 +action.escu.confidence = high +action.escu.full_search_name = ESCU - Azure AD Privileged Graph API Permission Assigned - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["Azure Active Directory Persistence", "NOBELIUM Group"] +action.risk = 1 +action.risk.param._risk_message = User $user$ assigned privileged Graph API permissions to $object$ +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 54}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - Azure AD Privileged Graph API Permission Assigned - Rule +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} +schedule_window = auto +action.notable = 1 +action.notable.param.nes_fields = user,dest +action.notable.param.rule_description = This Splunk analytic flags the assignment of three high-risk Graph API permissions in Azure AD, Application.ReadWrite.All (1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions enable broad control over Azure AD, including application and directory settings. Utilizing azure_monitor_aad data, the query scans AuditLogs for 'Update application' operations, identifying when these permissions are assigned. It collects data on user, object, and user agent. Immediate attention is needed upon detection, as misuse of these permissions can lead to unauthorized Azure AD modifications and potential security breaches. +action.notable.param.rule_title = Azure AD Privileged Graph API Permission Assigned +action.notable.param.security_domain = identity +action.notable.param.severity = high +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = `azure_monitor_aad` category=AuditLogs operationName="Update application" | eval newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0) | spath input=newvalue | search "{}.RequiredAppPermissions{}.EntitlementId"="1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" OR "{}.RequiredAppPermissions{}.EntitlementId"="06b708a9-e830-4db3-a914-8e69da51d44f" OR "{}.RequiredAppPermissions{}.EntitlementId"="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_graph_api_permission_assigned_filter` + [ESCU - Azure AD Privileged Role Assigned - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. @@ -7469,10 +7687,10 @@ action.escu.full_search_name = ESCU - Azure AD Privileged Role Assigned - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Azure Active Directory Persistence"] +action.escu.analytic_story = ["Azure Active Directory Persistence", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = A privileged Azure AD role was assigned for User $user$ initiated by $initiatedBy$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}, {"risk_object_field": "initiatedBy", "risk_object_type": "user", "risk_score": 63}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -7480,7 +7698,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Privileged Role Assigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -7503,7 +7721,7 @@ search = `azure_monitor_aad` "operationName"="Add member to role" | rename pro action.escu = 0 action.escu.enabled = 1 description = The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). The detection is made by running a specific search within the ingested Azure Active Directory events to leverage the AuditLogs log category. This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). The detection is made by running a specific search within the ingested Azure Active Directory events to leverage the AuditLogs log category. This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. @@ -7515,10 +7733,10 @@ action.escu.full_search_name = ESCU - Azure AD Privileged Role Assigned to Servi action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Azure Active Directory Privilege Escalation"] +action.escu.analytic_story = ["Azure Active Directory Privilege Escalation", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = A privileged Azure AD role was assigned to the Service Principal $displayName$ initiated by $initiatedBy$ -action.risk.param._risk = [{"risk_object_field": "initiatedBy", "risk_object_type": "user", "risk_score": 35}] +action.risk.param._risk = [{"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -7526,7 +7744,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -7545,11 +7763,57 @@ realtime_schedule = 0 is_visible = false search = `azure_monitor_aad` operationName="Add member to role" | rename properties.* as * | search "targetResources{}.type"=ServicePrincipal | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | rename targetResources{}.displayName as apps | eval displayName=mvindex(apps,0) | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by initiatedBy, result, operationName, role | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_role_assigned_to_service_principal_filter` +[ESCU - Azure AD Service Principal Authentication - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = Monitoring service principal authentication events in Azure Active Directory is crucial, but to effectively leverage this detection, teams should first conduct a thorough inventory of all service principals and their source IPs to establish a baseline of normal behavior. The detection, using azure_monitor_aad, specifically targets "Sign-in activity" within ServicePrincipalSignInLogs, gathering key details like sign-in frequency, timing, source IPs, and accessed resources. This baseline is essential for SOC teams to distinguish between regular application authentication and anomalous patterns that might suggest compromised credentials or malicious activities. +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.CM"]} +action.escu.data_models = [] +action.escu.eli5 = Monitoring service principal authentication events in Azure Active Directory is crucial, but to effectively leverage this detection, teams should first conduct a thorough inventory of all service principals and their source IPs to establish a baseline of normal behavior. The detection, using azure_monitor_aad, specifically targets "Sign-in activity" within ServicePrincipalSignInLogs, gathering key details like sign-in frequency, timing, source IPs, and accessed resources. This baseline is essential for SOC teams to distinguish between regular application authentication and anomalous patterns that might suggest compromised credentials or malicious activities. +action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. +action.escu.known_false_positives = Service Principals will legitimally authenticate remotely to your tenant. Implementing this detection after establishing a baseline enables a more accurate identification of security threats, ensuring proactive and informed responses to safeguard the Azure AD environment. source ips. +action.escu.creation_date = 2024-02-12 +action.escu.modification_date = 2024-02-12 +action.escu.confidence = high +action.escu.full_search_name = ESCU - Azure AD Service Principal Authentication - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["Azure Active Directory Account Takeover", "NOBELIUM Group"] +action.risk = 1 +action.risk.param._risk_message = Service Principal $user$ authenticated from $src_ip$ +action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 25}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - Azure AD Service Principal Authentication - Rule +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.CM"]} +schedule_window = auto +action.notable = 1 +action.notable.param.nes_fields = user,dest +action.notable.param.rule_description = Monitoring service principal authentication events in Azure Active Directory is crucial, but to effectively leverage this detection, teams should first conduct a thorough inventory of all service principals and their source IPs to establish a baseline of normal behavior. The detection, using azure_monitor_aad, specifically targets "Sign-in activity" within ServicePrincipalSignInLogs, gathering key details like sign-in frequency, timing, source IPs, and accessed resources. This baseline is essential for SOC teams to distinguish between regular application authentication and anomalous patterns that might suggest compromised credentials or malicious activities. +action.notable.param.rule_title = Azure AD Service Principal Authentication +action.notable.param.security_domain = identity +action.notable.param.severity = high +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = `azure_monitor_aad` operationName="Sign-in activity" category=ServicePrincipalSignInLogs | rename properties.* as * | stats count earliest(_time) as firstTime latest(_time) as lastTime by user, user_id, src_ip, resourceDisplayName, resourceId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_authentication_filter` + [ESCU - Azure AD Service Principal Created - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the creation of a Service Principal in an Azure AD environment. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may create a Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1136.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the creation of a Service Principal in an Azure AD environment. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may create a Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment thorough an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. @@ -7561,10 +7825,10 @@ action.escu.full_search_name = ESCU - Azure AD Service Principal Created - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Azure Active Directory Persistence"] +action.escu.analytic_story = ["Azure Active Directory Persistence", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = Service Principal named $displayName$ created by $user$ -action.risk.param._risk = [{"risk_object_field": "displayName", "risk_object_type": "other", "risk_score": 45}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}] +action.risk.param._risk = [{"risk_object_field": "displayName", "risk_object_type": "other", "risk_score": 45}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -7572,7 +7836,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Service Principal Created - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "mitre_attack": ["T1136.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -7595,7 +7859,7 @@ search = `azure_monitor_aad` operationName="Add service principal" properties.i action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the addition of new credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD. These credentials include both x509 certificates and passwords. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules. Adversaries and red teams alike who have obtained privileged access to Azure AD may add credentials to Service Principals to maintain persistent access to victim accounts and other instances within the Azure environment. By compromising an account who is an Owner of an application with privileged access, attackers may also escalate their privileges in an Azure AD environment by adding new credentials and logging in as the service principal. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the addition of new credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD. These credentials include both x509 certificates and passwords. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules. Adversaries and red teams alike who have obtained privileged access to Azure AD may add credentials to Service Principals to maintain persistent access to victim accounts and other instances within the Azure environment. By compromising an account who is an Owner of an application with privileged access, attackers may also escalate their privileges in an Azure AD environment by adding new credentials and logging in as the service principal. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. @@ -7607,10 +7871,10 @@ action.escu.full_search_name = ESCU - Azure AD Service Principal New Client Cred action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"] +action.escu.analytic_story = ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = New credentials added for Service Principal $properties.targetResources{}.displayName$ -action.risk.param._risk = [{"risk_object_field": "displayName", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] +action.risk.param._risk = [{"risk_object_field": "displayName", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -7618,7 +7882,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Service Principal New Client Credentials - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -7641,7 +7905,7 @@ search = `azure_monitor_aad` category=AuditLogs operationName="Update applicat action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the addition of a new owner for a Service Principal within an Azure AD tenant. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may add a new owner for an existing Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. Attackers who are looking to escalate their privileges by leveraging a Service Principals permissions may also add a new owner. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the addition of a new owner for a Service Principal within an Azure AD tenant. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may add a new owner for an existing Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. Attackers who are looking to escalate their privileges by leveraging a Service Principals permissions may also add a new owner. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. @@ -7653,10 +7917,10 @@ action.escu.full_search_name = ESCU - Azure AD Service Principal Owner Added - R action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"] +action.escu.analytic_story = ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = A new owner was added for service principal $displayName$ by $initiatedBy$ -action.risk.param._risk = [{"risk_object_field": "displayName", "risk_object_type": "other", "risk_score": 54}, {"risk_object_field": "initiatedBy", "risk_object_type": "user", "risk_score": 54}] +action.risk.param._risk = [{"risk_object_field": "displayName", "risk_object_type": "other", "risk_score": 54}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -7664,7 +7928,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Service Principal Owner Added - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -7687,7 +7951,7 @@ search = `azure_monitor_aad` operationName="Add owner to application" | rename action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an Azure AD account successfully authenticating from more than one unique Ip address in the span of 30 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an Azure AD account successfully authenticating from more than one unique Ip address in the span of 30 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. @@ -7702,7 +7966,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Compromised User Account", "Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ has had successful authentication events from more than one unique IP address in the span of 30 minutes. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 56}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -7710,7 +7974,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Successful Authentication From Different Ips - Rule -action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -7733,7 +7997,7 @@ search = `azure_monitor_aad` properties.authenticationDetails{}.succeeded=true action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell commandlets. This behavior is not common for regular, non administrative users. After compromising an account in Azure AD, attackers and red teams alike will perform enumeration and discovery techniques. One method of executing these techniques is leveraging the native PowerShell modules. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell commandlets. This behavior is not common for regular, non administrative users. After compromising an account in Azure AD, attackers and red teams alike will perform enumeration and discovery techniques. One method of executing these techniques is leveraging the native PowerShell modules. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. @@ -7748,7 +8012,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = Successful authentication for user $user$ using PowerShell. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 54}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -7756,7 +8020,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Successful PowerShell Authentication - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -7779,7 +8043,7 @@ search = `azure_monitor_aad` category=SignInLogs properties.authenticationDeta action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a successful authentication event against Azure Active Directory for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = The following analytic identifies a successful authentication event against Azure Active Directory for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category. @@ -7794,7 +8058,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = Successful authentication for user $user$ without MFA -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 45}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -7802,7 +8066,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Successful Single-Factor Authentication - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -7825,7 +8089,7 @@ search = `azure_monitor_aad` category=SignInLogs properties.authenticationRequi action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies instances where admin consent is granted to an application within an Azure AD tenant. It leverages Azure AD audit logs, specifically events related to the admin consent action within the ApplicationManagement category. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies instances where admin consent is granted to an application within an Azure AD tenant. It leverages Azure AD audit logs, specifically events related to the admin consent action within the ApplicationManagement category. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Auditlogs log category. @@ -7837,10 +8101,10 @@ action.escu.full_search_name = ESCU - Azure AD Tenant Wide Admin Consent Granted action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Azure Active Directory Persistence"] +action.escu.analytic_story = ["Azure Active Directory Persistence", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = Administrator $user$ consented an OAuth application for the tenant. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -7848,7 +8112,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -7865,7 +8129,7 @@ relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false -search = `azure_monitor_aad` operationName="Consent to application" | eval new_field=mvindex('properties.targetResources{}.modifiedProperties{}.newValue', 4) | rename properties.* as * | rex field=new_field "ConsentType: (?[^\,]+)" | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, targetResources{}.displayName, targetResources{}.id, ConsentType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_tenant_wide_admin_consent_granted_filter` +search = `azure_monitor_aad` operationName="Consent to application" | eval new_field=mvindex('properties.targetResources{}.modifiedProperties{}.newValue', 4) | rename properties.* as * | rex field=new_field "ConsentType: (?[^\,]+)" | rex field=new_field "Scope: (?[^\,]+)" | search ConsentType = "AllPrincipals" | stats count min(_time) as firstTime max(_time) as lastTime by operationName, user, targetResources{}.displayName, targetResources{}.id, ConsentType, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_tenant_wide_admin_consent_granted_filter` [ESCU - Azure AD Unusual Number of Failed Authentications From Ip - Rule] action.escu = 0 @@ -7873,7 +8137,7 @@ action.escu.enabled = 1 description = The following analytic identifies one source Ip failing to authenticate with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password.\ The detection calculates the standard deviation for source Ip and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\ While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `Azure AD Multiple Users Failing To Authenticate From Ip`. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies one source Ip failing to authenticate with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password.\ The detection calculates the standard deviation for source Ip and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\ @@ -7890,7 +8154,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Account Takeover"] action.risk = 1 action.risk.param._risk_message = Possible Password Spraying attack against Azure AD from source ip $ipAddress$ -action.risk.param._risk = [{"risk_object_field": "userPrincipalName", "risk_object_type": "user", "risk_score": 54}, {"risk_object_field": "ipAddress", "risk_object_type": "system", "risk_score": 54}] +action.risk.param._risk = [{"risk_object_field": "userPrincipalName", "risk_object_type": "user", "risk_score": 54}, {"risk_object_field": "ipAddress", "risk_object_type": "other", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -7898,7 +8162,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD Unusual Number of Failed Authentications From Ip - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -7915,7 +8179,7 @@ search = `azure_monitor_aad` category=SignInLogs properties.status.errorCode=5 action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies instances where Azure AD has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the Azure AD audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where Azure's built-in security measures have intervened. Applications that are flagged and blocked by Azure typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} action.escu.data_models = ["Risk"] action.escu.eli5 = The following analytic identifies instances where Azure AD has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the Azure AD audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where Azure's built-in security measures have intervened. Applications that are flagged and blocked by Azure typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. @@ -7938,7 +8202,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD User Consent Blocked for Risky Application - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 100, "impact": 30, "mitre_attack": ["T1528"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 100, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -7961,7 +8225,7 @@ search = `azure_monitor_aad` operationName="Consent to application" properties.r action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Azure AD environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the Azure AD's audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Azure AD environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the Azure AD's audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. @@ -7984,7 +8248,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD User Consent Denied for OAuth Application - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1528"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -8007,7 +8271,7 @@ search = `azure_monitor_aad` operationName="Sign-in activity" properties.status action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. This behavior could represent an adversary who has obtained administrative access and is trying to establish a backdoor identity within an Azure AD tenant. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. This behavior could represent an adversary who has obtained administrative access and is trying to establish a backdoor identity within an Azure AD tenant. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. @@ -8022,7 +8286,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Persistence"] action.risk = 1 action.risk.param._risk_message = A user account, $user$, was enabled and its password reset within 2 minutes by $initiatedBy$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "initiatedBy", "risk_object_type": "user", "risk_score": 45}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -8030,7 +8294,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD User Enabled And Password Reset - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -8053,7 +8317,7 @@ search = `azure_monitor_aad` (operationName="Enable account" OR operationName= action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the modification of the SourceAnchor (also called ImmutableId) attribute for an Azure Active Directory user. Updating this attribute is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the modification of the SourceAnchor (also called ImmutableId) attribute for an Azure Active Directory user. Updating this attribute is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. @@ -8068,7 +8332,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Persistence"] action.risk = 1 action.risk.param._risk_message = The SourceAnchor or ImmutableID attribute has been modified for user $user$ by $initiatedBy$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "initiatedBy", "risk_object_type": "user", "risk_score": 45}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "initiatedBy", "risk_object_type": "other", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -8076,7 +8340,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure AD User ImmutableId Attribute Updated - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -8099,7 +8363,7 @@ search = `azure_monitor_aad` operationName="Update user" properties.targetReso action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the creation of a new Azure Automation account within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure using PowerShell and Python. Azure Automation can also be configured to automate tasks on on premise infrastructure using a component called a Hybrid Runbook Worker. Automation accounts serve as a container to isolate Automation resources, runbooks, assets, and configurations from the resources of other accounts. They allow administrators to separate resources into logical environments or delegated responsibilities. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation account with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1136", "T1136.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136", "T1136.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the creation of a new Azure Automation account within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure using PowerShell and Python. Azure Automation can also be configured to automate tasks on on premise infrastructure using a component called a Hybrid Runbook Worker. Automation accounts serve as a container to isolate Automation resources, runbooks, assets, and configurations from the resources of other accounts. They allow administrators to separate resources into logical environments or delegated responsibilities. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation account with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category. @@ -8114,7 +8378,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Persistence"] action.risk = 1 action.risk.param._risk_message = A new Azure Automation account $object$ was created by $user$ -action.risk.param._risk = [{"risk_object_field": "object", "risk_object_type": "other", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}] +action.risk.param._risk = [{"risk_object_field": "object", "risk_object_type": "other", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -8122,7 +8386,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure Automation Account Created - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1136", "T1136.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136", "T1136.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -8145,7 +8409,7 @@ search = `azure_audit` operationName.localizedValue="Create or Update an Azure action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the creation of a new Azure Automation Runbook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation Runbook that runs with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1136", "T1136.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136", "T1136.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the creation of a new Azure Automation Runbook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation Runbook that runs with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category. @@ -8160,7 +8424,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Persistence"] action.risk = 1 action.risk.param._risk_message = A new Azure Automation Runbook $object$ was created by $caller$ -action.risk.param._risk = [{"risk_object_field": "object", "risk_object_type": "other", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}] +action.risk.param._risk = [{"risk_object_field": "object", "risk_object_type": "other", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -8168,7 +8432,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure Automation Runbook Created - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1136", "T1136.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136", "T1136.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -8191,7 +8455,7 @@ search = `azure_audit` operationName.localizedValue="Create or Update an Azure action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the creation of a new Automation Runbook Webhook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. One of the ways administrators can configure a Runbook to be executed is through HTTP Webhooks. Webhooks leverage custom unauthenticated URLs that are exposed to the Internet. An adversary who has obtained privileged access to an Azure tenant may create a Webhook to trigger the execution of an Automation Runbook with malicious code that can create users or execute code on a VM. This provides a persistent foothold on the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.004"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the creation of a new Automation Runbook Webhook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. One of the ways administrators can configure a Runbook to be executed is through HTTP Webhooks. Webhooks leverage custom unauthenticated URLs that are exposed to the Internet. An adversary who has obtained privileged access to an Azure tenant may create a Webhook to trigger the execution of an Automation Runbook with malicious code that can create users or execute code on a VM. This provides a persistent foothold on the environment. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category. @@ -8206,7 +8470,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Azure Active Directory Persistence"] action.risk = 1 action.risk.param._risk_message = A new Azure Runbook Webhook $object$ was created by $caller$ -action.risk.param._risk = [{"risk_object_field": "object", "risk_object_type": "other", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}] +action.risk.param._risk = [{"risk_object_field": "object", "risk_object_type": "other", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -8214,7 +8478,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Azure Runbook Webhook Created - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1078", "T1078.004"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directory Persistence"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -8237,7 +8501,7 @@ search = `azure_audit` operationName.localizedValue="Create or Update an Azure action.escu = 0 action.escu.enabled = 1 description = This analytic searches for a specific behavior in CircleCI pipelines such as the disabling of security jobs. The detection is made by using a Splunk query that renames certain fields and retrieves values for specified job names, workflow IDs and names, user information, commit messages, URLs, and branches. Then, the query identifies mandatory jobs for each workflow and searches for instances where they were run. The search also identifies the phase of the pipeline as "build" and extracts the repository name from the URL using regular expressions. The detection is important because it detects attempts to bypass security measures in CircleCI pipelines, which can potentially lead to malicious code being introduced into the pipeline, data breaches, system downtime, and reputational damage. False positives might occur since legitimate use cases can require the disabling of security jobs. However, you can proactively monitor and identify any suspicious activity in the pipeline using this analytic and mitigate potential threats through early detection. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1554"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1554"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic searches for a specific behavior in CircleCI pipelines such as the disabling of security jobs. The detection is made by using a Splunk query that renames certain fields and retrieves values for specified job names, workflow IDs and names, user information, commit messages, URLs, and branches. Then, the query identifies mandatory jobs for each workflow and searches for instances where they were run. The search also identifies the phase of the pipeline as "build" and extracts the repository name from the URL using regular expressions. The detection is important because it detects attempts to bypass security measures in CircleCI pipelines, which can potentially lead to malicious code being introduced into the pipeline, data breaches, system downtime, and reputational damage. False positives might occur since legitimate use cases can require the disabling of security jobs. However, you can proactively monitor and identify any suspicious activity in the pipeline using this analytic and mitigate potential threats through early detection. action.escu.how_to_implement = You must index CircleCI logs. @@ -8252,7 +8516,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = disable security job $mandatory_job$ in workflow $workflow_name$ from user $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -8260,7 +8524,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Circle CI Disable Security Job - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 80, "mitre_attack": ["T1554"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1554"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -8277,7 +8541,7 @@ search = `circleci` | rename vcs.committer_name as user vcs.subject as commit_me action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the disablement of security steps in a CircleCI pipeline. Addressing instances of security step disablement in CircleCI pipelines can mitigate the risks associated with potential security vulnerabilities and unauthorized changes. A proactive approach helps protect the organization's infrastructure, data, and overall security posture. The detection is made by a Splunk query that searches for specific criteria within CircleCI logs through a combination of field renaming, joining, and statistical analysis to identify instances where security steps are disabled. It retrieves information such as job IDs, job names, commit details, and user information from the CircleCI logs. The detection is important because it indicates potential security vulnerabilities or unauthorized changes to the pipeline caused by someone within the organization intentionally or unintentionally disabling security steps in the CircleCI pipeline.Disabling security steps can leave the pipeline and the associated infrastructure exposed to potential attacks, data breaches, or the introduction of malicious code into the pipeline. Investigate by reviewing the job name, commit details, and user information associated with the disablement of security steps. You must also examine any relevant on-disk artifacts and identify concurrent processes that might indicate the source of the attack or unauthorized change. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1554"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1554"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the disablement of security steps in a CircleCI pipeline. Addressing instances of security step disablement in CircleCI pipelines can mitigate the risks associated with potential security vulnerabilities and unauthorized changes. A proactive approach helps protect the organization's infrastructure, data, and overall security posture. The detection is made by a Splunk query that searches for specific criteria within CircleCI logs through a combination of field renaming, joining, and statistical analysis to identify instances where security steps are disabled. It retrieves information such as job IDs, job names, commit details, and user information from the CircleCI logs. The detection is important because it indicates potential security vulnerabilities or unauthorized changes to the pipeline caused by someone within the organization intentionally or unintentionally disabling security steps in the CircleCI pipeline.Disabling security steps can leave the pipeline and the associated infrastructure exposed to potential attacks, data breaches, or the introduction of malicious code into the pipeline. Investigate by reviewing the job name, commit details, and user information associated with the disablement of security steps. You must also examine any relevant on-disk artifacts and identify concurrent processes that might indicate the source of the attack or unauthorized change. action.escu.how_to_implement = You must index CircleCI logs. @@ -8292,7 +8556,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = disable security step $mandatory_step$ in job $job_name$ from user $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -8300,7 +8564,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Circle CI Disable Security Step - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 80, "mitre_attack": ["T1554"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1554"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -8317,7 +8581,7 @@ search = `circleci` | rename workflows.job_id AS job_id | join job_id [ | search action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects when a new command is run by a user, who typically does not run those commands. The detection is made by a Splunk query to search for these commands in the Change data model. Identifies commands run by users with the user_type of AssumedRole and a status of success. The query retrieves the earliest and latest timestamps of each command run and groups the results by the user and command. Then, it drops the unnecessary data model object name and creates a lookup to verify if the command was seen before. The lookup table contains information about previously seen cloud API calls for each user role, including the first time the command was seen and whether enough data is available for analysis. If the firstTimeSeenUserApiCall field is null or greater than the relative time of 24 hours ago, it indicates that the command is new and was not seen before. The final result table includes the firstTime, user, object, and command fields of the new commands. It also applies the security_content_ctime function to format the timestamps and applies a filter to remove any cloud API calls from previously unseen user roles. The detection is important because it helps to identify new commands run by different user roles. New commands can indicate potential malicious activity or unauthorized actions within the environment. Detecting and investigating these new commands can help identify and mitigate potential security threats earlier, preventing data breaches, unauthorized access, or other damaging outcomes. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = The following analytic detects when a new command is run by a user, who typically does not run those commands. The detection is made by a Splunk query to search for these commands in the Change data model. Identifies commands run by users with the user_type of AssumedRole and a status of success. The query retrieves the earliest and latest timestamps of each command run and groups the results by the user and command. Then, it drops the unnecessary data model object name and creates a lookup to verify if the command was seen before. The lookup table contains information about previously seen cloud API calls for each user role, including the first time the command was seen and whether enough data is available for analysis. If the firstTimeSeenUserApiCall field is null or greater than the relative time of 24 hours ago, it indicates that the command is new and was not seen before. The final result table includes the firstTime, user, object, and command fields of the new commands. It also applies the security_content_ctime function to format the timestamps and applies a filter to remove any cloud API calls from previously unseen user roles. The detection is important because it helps to identify new commands run by different user roles. New commands can indicate potential malicious activity or unauthorized actions within the environment. Detecting and investigating these new commands can help identify and mitigate potential security threats earlier, preventing data breaches, unauthorized access, or other damaging outcomes. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud API Calls Per User Role - Initial` to build the initial table of user roles, commands, and times. You must also enable the second baseline search `Previously Seen Cloud API Calls Per User Role - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `cloud_api_calls_from_previously_unseen_user_roles_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_api_calls_from_previously_unseen_user_roles_filter` @@ -8332,7 +8596,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Cloud User Activities"] action.risk = 1 action.risk.param._risk_message = User $user$ of type AssumedRole attempting to execute new API calls $command$ that have not been seen before -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -8340,7 +8604,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Cloud API Calls From Previously Unseen User Roles - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud User Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud User Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -8357,7 +8621,7 @@ search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime from d action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for cloud compute instances created by users who have not created them before. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search looks for cloud compute instances created by users who have not created them before. action.escu.how_to_implement = You must be ingesting the appropriate cloud-infrastructure logs Run the "Previously Seen Cloud Compute Creations By User" support search to create of baseline of previously seen users. @@ -8372,7 +8636,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Cloud Cryptomining"] action.risk = 1 action.risk.param._risk_message = User $user$ is creating a new instance $dest$ for the first time -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 18}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 18}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 18}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 18}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -8380,7 +8644,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Cloud Compute Instance Created By Previously Unseen User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cloud Cryptomining"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Cloud Cryptomining"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -8397,7 +8661,7 @@ search = | tstats `security_content_summariesonly` count earliest(_time) as firs action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks at cloud-infrastructure events where an instance is created in any region within the last hour and then compares it to a lookup file of previously seen regions where instances have been created. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search looks at cloud-infrastructure events where an instance is created in any region within the last hour and then compares it to a lookup file of previously seen regions where instances have been created. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Regions - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Regions - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_in_previously_unused_region_filter` macro. @@ -8412,7 +8676,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Cloud Cryptomining"] action.risk = 1 action.risk.param._risk_message = User $user$ is creating an instance $dest$ in a new region for the first time -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 42}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -8420,7 +8684,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Cloud Compute Instance Created In Previously Unused Region - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cloud Cryptomining"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1535"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Cloud Cryptomining"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -8452,7 +8716,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Cloud Cryptomining"] action.risk = 1 action.risk.param._risk_message = User $user$ is creating an instance $dest$ with an image that has not been previously seen. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 36}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -8492,7 +8756,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Cloud Cryptomining"] action.risk = 1 action.risk.param._risk_message = User $user$ is creating an instance $dest$ with an instance type $instance_type$ that has not been previously seen. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -8517,7 +8781,7 @@ search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime values action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for cloud instances being modified by users who have not previously modified them. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search looks for cloud instances being modified by users who have not previously modified them. action.escu.how_to_implement = This search has a dependency on other searches to create and update a baseline of users observed to be associated with this activity. The search "Previously Seen Cloud Instance Modifications By User - Update" should be enabled for this detection to properly work. @@ -8532,7 +8796,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Cloud Instance Activities"] action.risk = 1 action.risk.param._risk_message = User $user$ is modifying an instance $object_id$ for the first time. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -8540,7 +8804,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Cloud Instance Modified By Previously Unseen User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Instance Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Instance Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004", "T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -8557,7 +8821,7 @@ search = | tstats `security_content_summariesonly` count earliest(_time) as firs action.escu = 0 action.escu.enabled = 1 description = This search looks for cloud provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that runs or creates something. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search looks for cloud provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that runs or creates something. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_city_filter` macro. @@ -8573,7 +8837,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Cloud Provisioning Activities"] action.risk = 1 action.risk.param._risk_message = User $user$ is starting or creating an instance $object$ for the first time in City $City$ from IP address $src$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 18}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 18}, {"risk_object_field": "object", "risk_object_type": "system", "risk_score": 18}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 18}, {"risk_object_field": "src", "risk_object_type": "other", "risk_score": 18}, {"risk_object_field": "object", "risk_object_type": "system", "risk_score": 18}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -8581,7 +8845,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Cloud Provisioning Activity From Previously Unseen City - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -8598,7 +8862,7 @@ search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime from d action.escu = 0 action.escu.enabled = 1 description = This search looks for cloud provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that runs or creates something. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search looks for cloud provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that runs or creates something. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_country_filter` macro. @@ -8614,7 +8878,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Cloud Provisioning Activities"] action.risk = 1 action.risk.param._risk_message = User $user$ is starting or creating an instance $object$ for the first time in Country $Country$ from IP address $src$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 42}, {"risk_object_field": "object", "risk_object_type": "system", "risk_score": 42}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 42}, {"risk_object_field": "src", "risk_object_type": "other", "risk_score": 42}, {"risk_object_field": "object", "risk_object_type": "system", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -8622,7 +8886,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Cloud Provisioning Activity From Previously Unseen Country - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -8639,7 +8903,7 @@ search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime from d action.escu = 0 action.escu.enabled = 1 description = This search looks for cloud provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that runs or creates something. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search looks for cloud provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that runs or creates something. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_ip_address_filter` macro. @@ -8655,7 +8919,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Cloud Provisioning Activities"] action.risk = 1 action.risk.param._risk_message = User $user$ is starting or creating an instance $object_id$ for the first time from IP address $src$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 42}, {"risk_object_field": "object_id", "risk_object_type": "system", "risk_score": 42}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 42}, {"risk_object_field": "src", "risk_object_type": "other", "risk_score": 42}, {"risk_object_field": "object_id", "risk_object_type": "system", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -8663,7 +8927,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Cloud Provisioning Activity From Previously Unseen IP Address - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -8680,7 +8944,7 @@ search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime, value action.escu = 0 action.escu.enabled = 1 description = This search looks for cloud provisioning activities from previously unseen regions. Provisioning activities are defined broadly as any event that runs or creates something. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search looks for cloud provisioning activities from previously unseen regions. Provisioning activities are defined broadly as any event that runs or creates something. action.escu.how_to_implement = You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_region_filter` macro. @@ -8696,7 +8960,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious Cloud Provisioning Activities"] action.risk = 1 action.risk.param._risk_message = User $user$ is starting or creating an instance $object$ for the first time in region $Region$ from IP address $src$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}, {"risk_object_field": "src", "risk_object_type": "system", "risk_score": 42}, {"risk_object_field": "object", "risk_object_type": "system", "risk_score": 42}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 42}, {"risk_object_field": "src", "risk_object_type": "other", "risk_score": 42}, {"risk_object_field": "object", "risk_object_type": "system", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -8704,7 +8968,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Cloud Provisioning Activity From Previously Unseen Region - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -8721,7 +8985,7 @@ search = | tstats earliest(_time) as firstTime, latest(_time) as lastTime from d action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1552"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1552"], "nist": ["DE.AE"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour action.escu.how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. @@ -8739,7 +9003,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect AWS Console Login by New User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "mitre_attack": ["T1586", "T1586.003", "T1552"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1552"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -8756,7 +9020,7 @@ search = | tstats earliest(_time) as firstTime latest(_time) as lastTime from da action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour action.escu.how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_city_filter` macro. @@ -8774,7 +9038,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect AWS Console Login by User from New City - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -8791,7 +9055,7 @@ search = | tstats earliest(_time) as firstTime latest(_time) as lastTime from da action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour action.escu.how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_country_filter` macro. @@ -8809,7 +9073,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect AWS Console Login by User from New Country - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -8826,7 +9090,7 @@ search = | tstats earliest(_time) as firstTime latest(_time) as lastTime from da action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour action.escu.how_to_implement = You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_region_filter` macro. @@ -8844,7 +9108,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect AWS Console Login by User from New Region - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover", "Compromised User Account"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -8861,7 +9125,7 @@ search = | tstats earliest(_time) as firstTime latest(_time) as lastTime from da action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks at GCP Storage bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed a GCP Storage bucket. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks at GCP Storage bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed a GCP Storage bucket. action.escu.how_to_implement = This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). In order to capture public GCP Storage Bucket access logs, you must also enable storage bucket logging to your PubSub Topic as per https://cloud.google.com/storage/docs/access-logs. These logs are deposited into the nominated Storage Bucket on an hourly basis and typically show up by 15 minutes past the hour. It is recommended to configure any saved searches or correlation searches in Enterprise Security to run on an hourly basis at 30 minutes past the hour (cron definition of 30 * * * *). A lookup table (previously_seen_gcp_storage_access_from_remote_ip.csv) stores the previously seen access requests, and is used by this search to determine any newly seen IP addresses accessing the Storage Buckets. @@ -8876,7 +9140,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious GCP Storage Activities"] action.risk = 1 action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "remote_ip", "risk_object_type": "system", "risk_score": 25}] +action.risk.param._risk = [{"risk_object_field": "remote_ip", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -8884,7 +9148,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect GCP Storage access from a new IP - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious GCP Storage Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1530"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious GCP Storage Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -8901,7 +9165,7 @@ search = `google_gcp_pubsub_message` | multikv | rename sc_status_ as status | r action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for GCP PubSub events where a user has created an open/public GCP Storage bucket. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} action.escu.data_models = ["Email"] action.escu.eli5 = This search looks for GCP PubSub events where a user has created an open/public GCP Storage bucket. action.escu.how_to_implement = This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). @@ -8924,7 +9188,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect New Open GCP Storage Buckets - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious GCP Storage Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1530"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious GCP Storage Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -8947,7 +9211,7 @@ search = `google_gcp_pubsub_message` data.resource.type=gcs_bucket data.protoPay action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket. action.escu.how_to_implement = You must install the AWS App for Splunk. @@ -8962,7 +9226,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious AWS S3 Activities"] action.risk = 1 action.risk.param._risk_message = User $user_arn$ has created an open/public bucket $bucketName$ with the following permissions $permission$ -action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "user", "risk_score": 48}, {"risk_object_field": "bucketName", "risk_object_type": "other", "risk_score": 48}] +action.risk.param._risk = [{"risk_object_field": "user_arn", "risk_object_type": "other", "risk_score": 48}, {"risk_object_field": "bucketName", "risk_object_type": "other", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -8970,7 +9234,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect New Open S3 buckets - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "mitre_attack": ["T1530"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -8993,7 +9257,7 @@ search = `cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl | rex action.escu = 0 action.escu.enabled = 1 description = This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli. action.escu.how_to_implement = @@ -9008,7 +9272,7 @@ action.escu.providing_technologies = ["Amazon Web Services - Cloudtrail"] action.escu.analytic_story = ["Suspicious AWS S3 Activities"] action.risk = 1 action.risk.param._risk_message = User $userIdentity.userName$ has created an open/public bucket $bucketName$ using AWS CLI with the following permissions - $requestParameters.accessControlList.x-amz-grant-read$ $requestParameters.accessControlList.x-amz-grant-read-acp$ $requestParameters.accessControlList.x-amz-grant-write$ $requestParameters.accessControlList.x-amz-grant-write-acp$ $requestParameters.accessControlList.x-amz-grant-full-control$ -action.risk.param._risk = [{"risk_object_field": "userIdentity.userName", "risk_object_type": "user", "risk_score": 48}, {"risk_object_field": "bucketName", "risk_object_type": "other", "risk_score": 48}] +action.risk.param._risk = [{"risk_object_field": "userIdentity.userName", "risk_object_type": "other", "risk_score": 48}, {"risk_object_field": "bucketName", "risk_object_type": "other", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -9016,7 +9280,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect New Open S3 Buckets over AWS CLI - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "mitre_attack": ["T1530"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -9039,7 +9303,7 @@ search = `cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR u action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks at S3 bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed an S3 bucket. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks at S3 bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed an S3 bucket. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access logs' inputs. This search works best when you run the "Previously Seen S3 Bucket Access by Remote IP" support search once to create a history of previously seen remote IPs and bucket names. @@ -9054,7 +9318,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Suspicious AWS S3 Activities"] action.risk = 1 action.risk.param._risk_message = tbd -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 25}] +action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -9062,7 +9326,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect S3 access from a new IP - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1530"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -9199,7 +9463,7 @@ search = `cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=17 action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search detects users creating spikes in API activity related to deletion of S3 buckets in your AWS environment. It will also update the cache file that factors in the latest data. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search detects users creating spikes in API activity related to deletion of S3 buckets in your AWS environment. It will also update the cache file that factors in the latest data. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of S3 Bucket deletion activity by ARN" support search once to create a baseline of previously seen S3 bucket-deletion activity. @@ -9222,7 +9486,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect Spike in S3 Bucket deletion - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1530"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS S3 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1530"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -9239,7 +9503,7 @@ search = `cloudtrail` eventName=DeleteBucket [search `cloudtrail` eventName=Dele action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an authentication attempt event against a Google Cloud Platform tenant that fails during the Multi Factor Authentication challenge. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an authentication attempt event against a Google Cloud Platform tenant that fails during the Multi Factor Authentication challenge. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events. @@ -9254,7 +9518,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["GCP Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ failed to pass MFA challenge -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 54}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -9262,7 +9526,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GCP Authentication Failed During MFA Challenge - Rule -action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -9285,7 +9549,7 @@ search = `gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search provides detection of GCPloit exploitation framework. This framework can be used to escalate privileges and move laterally from compromised high privilege accounts. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} action.escu.data_models = ["Email"] action.escu.eli5 = This search provides detection of GCPloit exploitation framework. This framework can be used to escalate privileges and move laterally from compromised high privilege accounts. action.escu.how_to_implement = You must install splunk GCP add-on. This search works with gcp:pubsub:message logs @@ -9308,7 +9572,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - GCP Detect gcploit framework - Rule -action.correlationsearch.annotations = {"analytic_story": ["GCP Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["GCP Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -9331,7 +9595,7 @@ search = `google_gcp_pubsub_message` data.protoPayload.request.function.timeout= action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster's pods -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster's pods action.escu.how_to_implement = You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. @@ -9349,7 +9613,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - GCP Kubernetes cluster pod scan detection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Scanning Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1526"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Scanning Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -9366,7 +9630,7 @@ search = `google_gcp_pubsub_message` category=kube-audit |spath input=properties action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an attempt to disable multi-factor authentication for a GCP user. An adversary who has obtained access to an GCP tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an attempt to disable multi-factor authentication for a GCP user. An adversary who has obtained access to an GCP tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the Admin log events. @@ -9381,7 +9645,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["GCP Account Takeover"] action.risk = 1 action.risk.param._risk_message = MFA disabled for User $user$ initiated by $actor.email$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "actor.email", "risk_object_type": "user", "risk_score": 45}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "actor.email", "risk_object_type": "other", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -9389,7 +9653,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GCP Multi-Factor Authentication Disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "mitre_attack": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -9412,7 +9676,7 @@ search = `gws_reports_admin` command=UNENROLL_USER_FROM_STRONG_AUTH | stats coun action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies multiple failed multi-factor authentication requests for a single user within a Google Cloud Platform tenant. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 5 minutes. Google CLoud tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies multiple failed multi-factor authentication requests for a single user within a Google Cloud Platform tenant. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 5 minutes. Google CLoud tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `mfa_prompts` threshold values according to your environment. Specifically, this analytic leverages the User log events. @@ -9427,7 +9691,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["GCP Account Takeover"] action.risk = 1 action.risk.param._risk_message = Multiple Failed MFA requests for user $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 54}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 54}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -9435,7 +9699,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GCP Multiple Failed MFA Requests For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "mitre_attack": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -9458,7 +9722,7 @@ search = `gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies one source Ip failing to authenticate into the Google Workspace user accounts with more than 20 unique valid users within 5 minutes. These user accounts may have other privileges with respect to access to other sensitive resources in the Google Cloud Platform. This behavior could represent an adversary performing a Password Spraying attack against an Google Workspace environment to obtain initial access or elevate privileges. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies one source Ip failing to authenticate into the Google Workspace user accounts with more than 20 unique valid users within 5 minutes. These user accounts may have other privileges with respect to access to other sensitive resources in the Google Cloud Platform. This behavior could represent an adversary performing a Password Spraying attack against an Google Workspace environment to obtain initial access or elevate privileges. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events. @@ -9473,7 +9737,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["GCP Account Takeover"] action.risk = 1 action.risk.param._risk_message = Multiple failed login attempts against users $tried_accounts$ seen from $src$ -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 54}, {"risk_object_field": "tried_accounts", "risk_object_type": "user", "risk_score": 54}] +action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "other", "risk_score": 54}, {"risk_object_field": "tried_accounts", "risk_object_type": "user", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -9481,7 +9745,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GCP Multiple Users Failing To Authenticate From Ip - Rule -action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -9498,7 +9762,7 @@ search = `gws_reports_login` event.type = login event.name = login_failure | buc action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a successful authentication event against Google Cloud Platform for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a successful authentication event against Google Cloud Platform for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events. @@ -9513,7 +9777,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["GCP Account Takeover"] action.risk = 1 action.risk.param._risk_message = Successful authentication for user $user$ without MFA -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 45}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -9521,7 +9785,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GCP Successful Single-Factor Authentication - Rule -action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -9544,7 +9808,7 @@ search = `gws_reports_login` event.name=login_success NOT `gws_login_mfa_methods action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies one source IP failing to authenticate into the Google Workspace with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against a Google Workspace enviroment to obtain initial access or elevate privileges. The detection calculates the standard deviation for source IP and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the bucket span time and the calculation of the upperBound field. This logic can be used for real time security monitoring as well as threat hunting exercises. While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `GCP Multiple Users Failing To Authenticate From Ip` -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies one source IP failing to authenticate into the Google Workspace with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against a Google Workspace enviroment to obtain initial access or elevate privileges. The detection calculates the standard deviation for source IP and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the bucket span time and the calculation of the upperBound field. This logic can be used for real time security monitoring as well as threat hunting exercises. While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `GCP Multiple Users Failing To Authenticate From Ip` action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events. @@ -9559,7 +9823,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["GCP Account Takeover"] action.risk = 1 action.risk.param._risk_message = Unusual number of failed console login attempts against users $tried_accounts$ seen from $src$ -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 54}, {"risk_object_field": "tried_accounts", "risk_object_type": "user", "risk_score": 54}] +action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "other", "risk_score": 54}, {"risk_object_field": "tried_accounts", "risk_object_type": "user", "risk_score": 54}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -9567,7 +9831,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GCP Unusual Number of Failed Authentications From Ip - Rule -action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["GCP Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -9584,7 +9848,7 @@ search = `gws_reports_login` event.type = login event.name = login_failure| buck action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search can help the detection of compromised accounts or internal users sharing potentially malicious/classified documents with users outside your organization via GSuite file sharing . -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search can help the detection of compromised accounts or internal users sharing potentially malicious/classified documents with users outside your organization via GSuite file sharing . action.escu.how_to_implement = Need to implement Gsuite logging targeting Google suite drive activity. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization. @@ -9602,7 +9866,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Gdrive suspicious file sharing - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1566"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -9619,7 +9883,7 @@ search = `gsuite_drive` name=change_user_access | rename parameters.* as * | sea action.escu = 0 action.escu.enabled = 1 description = This search detects a disabled security workflow in GitHub Actions. An attacker can disable a security workflow in GitHub actions to hide malicious code in it. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1195.002", "T1195"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002", "T1195"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search detects a disabled security workflow in GitHub Actions. An attacker can disable a security workflow in GitHub actions to hide malicious code in it. action.escu.how_to_implement = You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. Sometimes GitHub logs are truncated, make sure to disable it in props.conf. Replace *security-testing* with the name of your security testing workflow in GitHub Actions. @@ -9642,7 +9906,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GitHub Actions Disable Security Workflow - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 30, "mitre_attack": ["T1195.002", "T1195"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002", "T1195"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -9659,7 +9923,7 @@ search = `github` workflow_run.event=push OR workflow_run.event=pull_request | s action.escu = 0 action.escu.enabled = 1 description = This search is to detect a pushed or commit to master or main branch. This is to avoid unwanted modification to master without a review to the changes. Ideally in terms of devsecops the changes made in a branch and do a PR for review. of course in some cases admin of the project may did a changes directly to master branch -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1199"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1199"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a pushed or commit to master or main branch. This is to avoid unwanted modification to master without a review to the changes. Ideally in terms of devsecops the changes made in a branch and do a PR for review. of course in some cases admin of the project may did a changes directly to master branch action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project. @@ -9674,7 +9938,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = suspicious commit by $commit.commit.author.email$ to main branch -action.risk.param._risk = [{"risk_object_field": "commit.commit.author.email", "risk_object_type": "user", "risk_score": 9}] +action.risk.param._risk = [{"risk_object_field": "commit.commit.author.email", "risk_object_type": "other", "risk_score": 9}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -9682,7 +9946,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Github Commit Changes In Master - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1199"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1199"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -9699,7 +9963,7 @@ search = `github` branches{}.name = main OR branches{}.name = master | stats co action.escu = 0 action.escu.enabled = 1 description = This search is to detect a pushed or commit to develop branch. This is to avoid unwanted modification to develop without a review to the changes. Ideally in terms of devsecops the changes made in a branch and do a PR for review. of course in some cases admin of the project may did a changes directly to master branch -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1199"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1199"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a pushed or commit to develop branch. This is to avoid unwanted modification to develop without a review to the changes. Ideally in terms of devsecops the changes made in a branch and do a PR for review. of course in some cases admin of the project may did a changes directly to master branch action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project. @@ -9714,7 +9978,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = suspicious commit by $commit.commit.author.email$ to develop branch -action.risk.param._risk = [{"risk_object_field": "commit.commit.author.email", "risk_object_type": "user", "risk_score": 9}] +action.risk.param._risk = [{"risk_object_field": "commit.commit.author.email", "risk_object_type": "other", "risk_score": 9}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -9722,7 +9986,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Github Commit In Develop - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1199"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1199"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -9739,7 +10003,7 @@ search = `github` branches{}.name = main OR branches{}.name = develop | stats c action.escu = 0 action.escu.enabled = 1 description = The following analytic is made by first searching for logs that contain the action "create" and renames certain fields for easier analysis. Then, this analytic uses the "stats" command to calculate the first and last occurrence of the alert based on the timestamp. The fields included in the output are the action, affected package name, affected range, created date, external identifier, external reference, fixed version, severity, repository, repository URL, and user. The "phase" field is set to "code" to indicate that the alert pertains to code-related issues. The detection is important because dependabot Alerts can indicate vulnerabilities in the codebase that can be exploited by attackers. Detecting and investigating these alerts can help a SOC to proactively address security risks and prevent potential breaches or unauthorized access to sensitive information. False positives might occur since there are legitimate actions that trigger the "create" action or if other factors exist that can generate similar log entries. Next steps include reviewing the details of the alert, such as the affected package, severity, and fixed version to determine the appropriate response and mitigation steps. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic is made by first searching for logs that contain the action "create" and renames certain fields for easier analysis. Then, this analytic uses the "stats" command to calculate the first and last occurrence of the alert based on the timestamp. The fields included in the output are the action, affected package name, affected range, created date, external identifier, external reference, fixed version, severity, repository, repository URL, and user. The "phase" field is set to "code" to indicate that the alert pertains to code-related issues. The detection is important because dependabot Alerts can indicate vulnerabilities in the codebase that can be exploited by attackers. Detecting and investigating these alerts can help a SOC to proactively address security risks and prevent potential breaches or unauthorized access to sensitive information. False positives might occur since there are legitimate actions that trigger the "create" action or if other factors exist that can generate similar log entries. Next steps include reviewing the details of the alert, such as the affected package, severity, and fixed version to determine the appropriate response and mitigation steps. action.escu.how_to_implement = You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. @@ -9762,7 +10026,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GitHub Dependabot Alert - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 30, "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -9779,7 +10043,7 @@ search = `github` alert.id=* action=create | rename repository.full_name as repo action.escu = 0 action.escu.enabled = 1 description = The following analytic detects pull requests from unknown users on GitHub. The detection is made by using a Splunk query to search for pull requests in the `check_suite.pull_requests` field where the `id` is not specified. Next, the analytic retrieves information such as the author's name, the repository's full name, the head reference of the pull request, and the commit message from the `check_suite.head_commit` field. The analytic also includes a step to exclude known users by using the `github_known_users` lookup table, which helps to filter out pull requests from known users and focus on the pull requests from unknown users. The detection is important because it locates potential malicious activity or unauthorized access since unknown users can introduce malicious code or gain unauthorized access to repositories leading to unauthorized code changes, data breaches, or other security incidents. Next steps include reviewing the author's name, the repository involved, the head reference of the pull request, and the commit message upon triage of a potential pull request from an unknown user. You must also analyze any relevant on-disk artifacts and investigate any concurrent processes to determine the source and intent of the pull request." -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects pull requests from unknown users on GitHub. The detection is made by using a Splunk query to search for pull requests in the `check_suite.pull_requests` field where the `id` is not specified. Next, the analytic retrieves information such as the author's name, the repository's full name, the head reference of the pull request, and the commit message from the `check_suite.head_commit` field. The analytic also includes a step to exclude known users by using the `github_known_users` lookup table, which helps to filter out pull requests from known users and focus on the pull requests from unknown users. The detection is important because it locates potential malicious activity or unauthorized access since unknown users can introduce malicious code or gain unauthorized access to repositories leading to unauthorized code changes, data breaches, or other security incidents. Next steps include reviewing the author's name, the repository involved, the head reference of the pull request, and the commit message upon triage of a potential pull request from an unknown user. You must also analyze any relevant on-disk artifacts and investigate any concurrent processes to determine the source and intent of the pull request." action.escu.how_to_implement = You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. @@ -9802,7 +10066,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GitHub Pull Request from Unknown User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 30, "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.001", "T1195"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -9819,7 +10083,7 @@ search = `github` check_suite.pull_requests{}.id=* | stats count by check_suite. action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search is to detect suspicious google drive or google docs files shared outside or externally. This behavior might be a good hunting query to monitor exfitration of data made by an attacker or insider to a targetted machine. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1567.002", "T1567"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1567.002", "T1567"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect suspicious google drive or google docs files shared outside or externally. This behavior might be a good hunting query to monitor exfitration of data made by an attacker or insider to a targetted machine. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`. @@ -9834,7 +10098,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Dev Sec Ops", "Insider Threat"] action.risk = 1 action.risk.param._risk_message = suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$ -action.risk.param._risk = [{"risk_object_field": "parameters.owner", "risk_object_type": "user", "risk_score": 72}, {"risk_object_field": "email", "risk_object_type": "user", "risk_score": 72}] +action.risk.param._risk = [{"risk_object_field": "parameters.owner", "risk_object_type": "other", "risk_score": 72}, {"risk_object_field": "email", "risk_object_type": "user", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -9842,7 +10106,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Gsuite Drive Share In External Email - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops", "Insider Threat"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "mitre_attack": ["T1567.002", "T1567"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops", "Insider Threat"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1567.002", "T1567"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -9859,7 +10123,7 @@ search = `gsuite_drive` NOT (email IN("", "null")) | rex field=parameters.owner action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious attachment file extension in Gsuite email that may related to spear phishing attack. This file type is commonly used by malware to lure user to click on it to execute malicious code to compromised targetted machine. But this search can also catch some normal files related to this file type that maybe send by employee or network admin. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a suspicious attachment file extension in Gsuite email that may related to spear phishing attack. This file type is commonly used by malware to lure user to click on it to execute malicious code to compromised targetted machine. But this search can also catch some normal files related to this file type that maybe send by employee or network admin. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. @@ -9874,7 +10138,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = suspicious email from $source.address$ to $destination{}.address$ -action.risk.param._risk = [{"risk_object_field": "source.address", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "destination{}.address", "risk_object_type": "user", "risk_score": 49}] +action.risk.param._risk = [{"risk_object_field": "source.address", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "destination{}.address", "risk_object_type": "user", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -9882,7 +10146,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GSuite Email Suspicious Attachment - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -9899,7 +10163,7 @@ search = `gsuite_gmail` "attachment{}.file_extension_type" IN ("pl", "py", "rb", action.escu = 0 action.escu.enabled = 1 description = This search is to detect a gsuite email contains suspicious subject having known file type used in spear phishing. This technique is a common and effective entry vector of attacker to compromise a network by luring the user to click or execute the suspicious attachment send from external email account because of the effective social engineering of subject related to delivery, bank and so on. On the other hand this detection may catch a normal email traffic related to legitimate transaction so better to check the email sender, spelling and etc. avoid click link or opening the attachment if you are not expecting this type of e-mail. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a gsuite email contains suspicious subject having known file type used in spear phishing. This technique is a common and effective entry vector of attacker to compromise a network by luring the user to click or execute the suspicious attachment send from external email account because of the effective social engineering of subject related to delivery, bank and so on. On the other hand this detection may catch a normal email traffic related to legitimate transaction so better to check the email sender, spelling and etc. avoid click link or opening the attachment if you are not expecting this type of e-mail. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. @@ -9914,7 +10178,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = suspicious email from $source.address$ to $destination{}.address$ -action.risk.param._risk = [{"risk_object_field": "source.address", "risk_object_type": "user", "risk_score": 25}] +action.risk.param._risk = [{"risk_object_field": "source.address", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -9922,7 +10186,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Gsuite Email Suspicious Subject With Attachment - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -9939,7 +10203,7 @@ search = `gsuite_gmail` num_message_attachments > 0 subject IN ("*dhl*", "* ups action.escu = 0 action.escu.enabled = 1 description = This analytics is to detect a gmail containing a link that are known to be abused by malware or attacker like pastebin, telegram and discord to deliver malicious payload. This event can encounter some normal email traffic within organization and external email that normally using this application and services. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytics is to detect a gmail containing a link that are known to be abused by malware or attacker like pastebin, telegram and discord to deliver malicious payload. This event can encounter some normal email traffic within organization and external email that normally using this application and services. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. @@ -9954,7 +10218,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = suspicious email from $source.address$ to $destination{}.address$ -action.risk.param._risk = [{"risk_object_field": "source.address", "risk_object_type": "user", "risk_score": 25}] +action.risk.param._risk = [{"risk_object_field": "source.address", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -9962,7 +10226,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Gsuite Email With Known Abuse Web Service Link - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -9979,7 +10243,7 @@ search = `gsuite_gmail` "link_domain{}" IN ("*pastebin.com*", "*discord*", "*tel action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious outbound e-mail from internal email to external email domain. This can be a good hunting query to monitor insider or outbound email traffic for not common domain e-mail. The idea is to parse the domain of destination email check if there is a minimum outbound traffic < 20 with attachment. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a suspicious outbound e-mail from internal email to external email domain. This can be a good hunting query to monitor insider or outbound email traffic for not common domain e-mail. The idea is to parse the domain of destination email check if there is a minimum outbound traffic < 20 with attachment. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. @@ -9994,7 +10258,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Dev Sec Ops", "Insider Threat"] action.risk = 1 action.risk.param._risk_message = suspicious email from $source.address$ to $destination{}.address$ -action.risk.param._risk = [{"risk_object_field": "dest_domain", "risk_object_type": "system", "risk_score": 9}] +action.risk.param._risk = [{"risk_object_field": "dest_domain", "risk_object_type": "other", "risk_score": 9}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -10002,7 +10266,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops", "Insider Threat"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops", "Insider Threat"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003", "T1048"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -10019,7 +10283,7 @@ search = `gsuite_gmail` num_message_attachments > 0 | rex field=source.from_head action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search can help the detection of compromised accounts or internal users sending suspcious calendar invites via GSuite calendar. These invites may contain malicious links or attachments. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search can help the detection of compromised accounts or internal users sending suspcious calendar invites via GSuite calendar. These invites may contain malicious links or attachments. action.escu.how_to_implement = In order to successfully implement this search, you need to be ingesting logs related to gsuite (gsuite:calendar:json) having the file sharing metadata like file type, source owner, destination target user, description, etc. This search can also be made more specific by selecting specific emails, subdomains timeframe, organizational units, targeted user, etc. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization. @@ -10037,7 +10301,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Gsuite suspicious calendar invite - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1566"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -10054,7 +10318,7 @@ search = `gsuite_calendar` |bin span=5m _time |rename parameters.* as * |search action.escu = 0 action.escu.enabled = 1 description = This search is to detect a shared file in google drive with suspicious file name that are commonly used by spear phishing campaign. This technique is very popular to lure the user by running a malicious document or click a malicious link within the shared file that will redirected to malicious website. This detection can also catch some normal email communication between organization and its external customer. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a shared file in google drive with suspicious file name that are commonly used by spear phishing campaign. This technique is very popular to lure the user by running a malicious document or click a malicious link within the shared file that will redirected to malicious website. This detection can also catch some normal email communication between organization and its external customer. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`. @@ -10069,7 +10333,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$ -action.risk.param._risk = [{"risk_object_field": "parameters.owner", "risk_object_type": "user", "risk_score": 21}, {"risk_object_field": "email", "risk_object_type": "user", "risk_score": 21}] +action.risk.param._risk = [{"risk_object_field": "parameters.owner", "risk_object_type": "other", "risk_score": 21}, {"risk_object_field": "email", "risk_object_type": "user", "risk_score": 21}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -10077,7 +10341,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Gsuite Suspicious Shared File Name - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.001", "T1566"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -10094,7 +10358,7 @@ search = `gsuite_drive` parameters.owner_is_team_drive=false "parameters.doc_tit action.escu = 0 action.escu.enabled = 1 description = This analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address. Specifically, it identifies scenarios where there are more than 10 unsuccessful login attempts within a short time frame. The detection leverages Office365 management activity logs, specifically the AzureActiveDirectoryStsLogon records from the AzureActiveDirectory workload. It aggregates these logs in 5-minute intervals to count the number of failed login attempts and associates them with the originating source IP address. Multiple failed login attempts from a single source can be indicative of brute-force attacks, password spraying, or other malicious authentication attempts. Identifying and responding to these patterns promptly can prevent unauthorized access and potential breaches. If this detection represents a true positive, an attacker might be attempting to gain unauthorized access to an Office365 account. Successful compromise could lead to unauthorized access to sensitive data, potential lateral movement within the organization, or further malicious activities using the compromised account. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1110.001", "T1110"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.001", "T1110"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address. Specifically, it identifies scenarios where there are more than 10 unsuccessful login attempts within a short time frame. The detection leverages Office365 management activity logs, specifically the AzureActiveDirectoryStsLogon records from the AzureActiveDirectory workload. It aggregates these logs in 5-minute intervals to count the number of failed login attempts and associates them with the originating source IP address. Multiple failed login attempts from a single source can be indicative of brute-force attacks, password spraying, or other malicious authentication attempts. Identifying and responding to these patterns promptly can prevent unauthorized access and potential breaches. If this detection represents a true positive, an attacker might be attempting to gain unauthorized access to an Office365 account. Successful compromise could lead to unauthorized access to sensitive data, potential lateral movement within the organization, or further malicious activities using the compromised account. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. Adjust the threshold value to suit the specific environment, as environments with naturally higher login failures might generate false positives at a lower threshold. @@ -10109,7 +10373,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Office 365 Account Takeover"] action.risk = 1 action.risk.param._risk_message = Ip address $src_ip$ failed to authenticate more than 10 times in a 5 minute -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 25}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -10117,7 +10381,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - High Number of Login Failures from a single source - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1110.001", "T1110"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110.001", "T1110"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -10134,7 +10398,7 @@ search = `o365_management_activity` Workload=AzureActiveDirectory Operation=User action.escu = 0 action.escu.enabled = 1 description = The following analytic detects unauthorized access or misuse of Kubernetes Secrets from unusual locations. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by country. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects unauthorized access or misuse of Kubernetes Secrets from unusual locations. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by country. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. @@ -10149,7 +10413,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Access of Kubernetes secret $objectRef.name$ from unusual location $Country$ by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 49}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -10157,7 +10421,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Abuse of Secret by Unusual Location - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -10174,7 +10438,7 @@ search = `kube_audit` objectRef.resource=secrets verb=get | iplocation sourceIPs action.escu = 0 action.escu.enabled = 1 description = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user agents. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user agent. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user agents. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user agent. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. @@ -10189,7 +10453,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Access of Kubernetes secret $objectRef.name$ from unusual user agent $userAgent$ by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 49}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -10197,7 +10461,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Abuse of Secret by Unusual User Agent - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -10214,7 +10478,7 @@ search = `kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_all action.escu = 0 action.escu.enabled = 1 description = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user groups. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user group. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user groups. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user group. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. @@ -10229,7 +10493,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Access of Kubernetes secret $objectRef.name$ from unusual user group $user.groups{}$ by user name $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 49}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -10237,7 +10501,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Abuse of Secret by Unusual User Group - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -10254,7 +10518,7 @@ search = `kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_all action.escu = 0 action.escu.enabled = 1 description = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user names. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user name. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects unauthorized access or misuse of Kubernetes Secrets by unusual user names. It identifies anomalies in access patterns by segmenting and analyzing the source of requests by user name. Kubernetes Secrets, which store sensitive information like passwords, OAuth tokens, and SSH keys, are critical assets, and their misuse can lead to significant security breaches. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to exfiltrate or misuse these secrets. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. @@ -10269,7 +10533,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Access of Kubernetes secret $objectRef.name$ from unusual user name $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 49}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -10277,7 +10541,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Abuse of Secret by Unusual User Name - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.007"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -10294,7 +10558,7 @@ search = `kube_audit` objectRef.resource=secrets verb=get | search NOT `kube_all action.escu = 0 action.escu.enabled = 1 description = The following analytic detects potential scanning activities within a Kubernetes environment. It identifies unauthorized access attempts, probing of public APIs, or attempts to exploit known vulnerabilities. The analytic detects this behavior by monitoring Kubernetes audit logs for patterns indicative of scanning, such as repeated failed access attempts or unusual API requests. This behavior is worth identifying for a SOC as it could indicate an attackers preliminary step in an attack, aiming to gather information about the system to find potential vulnerabilities. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1046"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1046"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects potential scanning activities within a Kubernetes environment. It identifies unauthorized access attempts, probing of public APIs, or attempts to exploit known vulnerabilities. The analytic detects this behavior by monitoring Kubernetes audit logs for patterns indicative of scanning, such as repeated failed access attempts or unusual API requests. This behavior is worth identifying for a SOC as it could indicate an attackers preliminary step in an attack, aiming to gather information about the system to find potential vulnerabilities. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. @@ -10309,7 +10573,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Kubernetes scanning from ip $src_ip$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 49}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -10317,7 +10581,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Access Scanning - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "mitre_attack": ["T1046"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1046"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -10334,7 +10598,7 @@ search = `kube_audit` "user.groups{}"="system:unauthenticated" "responseStatus.c action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This detection detects inbound network traffic volume anomalies from processes running within containerised workloads. Anomalies are provided with context identifying the Kubernetes cluster, the workload name, and the type of anomaly.This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics for destination (receiving) workload process pairs over the last 1 hour, with the average of those metrics for those pairs over the last 30 days in order to detect any anonymously high inbound network activity. Anomalies in inbound network traffic may suggest that the container is receiving unexpected or unauthorized data, potentially indicative of a breach, a vulnerability exploitation attempt, an attempt to overload the service, or propagation of malware. Successful compromise of a containerised application resulting in the ability to upload data, can result in installation of command and control software or other malware, data integrity damage, container escape, and further compromise of the environment. Additionally this kind of activity may result in resource contention, performance degradation and disruption to the normal operation of the environment. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection detects inbound network traffic volume anomalies from processes running within containerised workloads. Anomalies are provided with context identifying the Kubernetes cluster, the workload name, and the type of anomaly.This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics for destination (receiving) workload process pairs over the last 1 hour, with the average of those metrics for those pairs over the last 30 days in order to detect any anonymously high inbound network activity. Anomalies in inbound network traffic may suggest that the container is receiving unexpected or unauthorized data, potentially indicative of a breach, a vulnerability exploitation attempt, an attempt to overload the service, or propagation of malware. Successful compromise of a containerised application resulting in the ability to upload data, can result in installation of command and control software or other malware, data integrity damage, container escape, and further compromise of the environment. Additionally this kind of activity may result in resource contention, performance degradation and disruption to the normal operation of the environment. action.escu.how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\ @@ -10353,7 +10617,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes Anomalous Inbound Network Activity from Process in kubernetes cluster $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] +action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -10361,7 +10625,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Anomalous Inbound Network Activity from Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -10378,7 +10642,7 @@ search = | mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metr action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic identifies high Inbound or Outbound Network IO anomalies in a Kubernetes container. It uses process metrics from an OTEL collector and Kubelet Stats Receiver, and data from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. A lookup table containing average and standard deviation for network IO is used to evaluate anomalies for each container. An event is generated if the anomaly persists over a 1 hour period. These anomalies may indicate security threats such as data exfiltration, command and control communication, service disruptions, or unauthorized data transfers. They can compromise the confidentiality, availability, and integrity of applications and data, necessitating rapid detection and response. Anomalous network utilization may suggest a compromised container, potentially leading to data breaches, service outages, financial losses, and reputational damage. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies high Inbound or Outbound Network IO anomalies in a Kubernetes container. It uses process metrics from an OTEL collector and Kubelet Stats Receiver, and data from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. A lookup table containing average and standard deviation for network IO is used to evaluate anomalies for each container. An event is generated if the anomaly persists over a 1 hour period. These anomalies may indicate security threats such as data exfiltration, command and control communication, service disruptions, or unauthorized data transfers. They can compromise the confidentiality, availability, and integrity of applications and data, necessitating rapid detection and response. Anomalous network utilization may suggest a compromised container, potentially leading to data breaches, service outages, financial losses, and reputational damage. action.escu.how_to_implement = To implement this detection, follow these steps: \ @@ -10404,7 +10668,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes Anomalous Inbound Outbound Network IO from container on host $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] +action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -10412,7 +10676,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Anomalous Inbound Outbound Network IO - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -10429,7 +10693,7 @@ search = | mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8 action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic identifies changes in network communication behavior in a Kubernetes container by examining inbound to outbound network IO ratios. It uses process metrics from an OTEL collector and Kubelet Stats Receiver, and data from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. A lookup table containing average and standard deviation for network IO is used to evaluate anomalies for each container. An event is generated if the anomaly persists over a 1 hour period. These anomalies may indicate security threats such as data exfiltration, command and control communication, or compromised container behavior. They can compromise the confidentiality, availability, and integrity of applications and data, necessitating rapid detection and response. Anomalous network utilization may suggest a compromised container, potentially leading to data breaches, service outages, and unauthorized access within the Kubernetes cluster. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies changes in network communication behavior in a Kubernetes container by examining inbound to outbound network IO ratios. It uses process metrics from an OTEL collector and Kubelet Stats Receiver, and data from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. A lookup table containing average and standard deviation for network IO is used to evaluate anomalies for each container. An event is generated if the anomaly persists over a 1 hour period. These anomalies may indicate security threats such as data exfiltration, command and control communication, or compromised container behavior. They can compromise the confidentiality, availability, and integrity of applications and data, necessitating rapid detection and response. Anomalous network utilization may suggest a compromised container, potentially leading to data breaches, service outages, and unauthorized access within the Kubernetes cluster. action.escu.how_to_implement = To implement this detection, follow these steps: \ @@ -10455,7 +10719,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes Anomalous Inbound to Outbound Network IO Ratio from Container on host $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] +action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -10463,7 +10727,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Anomalous Inbound to Outbound Network IO Ratio - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -10480,7 +10744,7 @@ search = | mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8 action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This detection detects outbound network traffic volume anomalies from processes running within containerised workloads. Anomalies are provided with context identifying the Kubernetes cluster, the workload name, and the type of anomaly. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics for source (transmitting) workload process pairs over the last 1 hout, with the average of those metrics for those pairs over the last 30 days in order to detect any anonymously high outbound network activity. Anonymously high outbound network traffic from a process running in a container is a potential indication of data exfiltration, or an indication that the process has been modified. Anomalously high outbound network activity from a process running within a container suggests the potential compromise, which may lead to unauthorized data exfiltration, communication with malicious entities, or the propagation of malware to external systems. The compromised container could also serve as a pivot point for further attacks within the containerized environment. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection detects outbound network traffic volume anomalies from processes running within containerised workloads. Anomalies are provided with context identifying the Kubernetes cluster, the workload name, and the type of anomaly. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics for source (transmitting) workload process pairs over the last 1 hout, with the average of those metrics for those pairs over the last 30 days in order to detect any anonymously high outbound network activity. Anonymously high outbound network traffic from a process running in a container is a potential indication of data exfiltration, or an indication that the process has been modified. Anomalously high outbound network activity from a process running within a container suggests the potential compromise, which may lead to unauthorized data exfiltration, communication with malicious entities, or the propagation of malware to external systems. The compromised container could also serve as a pivot point for further attacks within the containerized environment. action.escu.how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\ @@ -10499,7 +10763,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes Anomalous Outbound Network Activity from Process in kubernetes cluster $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] +action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -10507,7 +10771,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Anomalous Outbound Network Activity from Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -10524,7 +10788,7 @@ search = | mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metr action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This detection detects network traffic volume anomalies between workloads in a microservices hosted application, or between a workload and the outside world if the workload is shown as (unknown). This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics between workloads over the last 1 hour, with the average of those metrics over the last 30 days in order to detect any anonymously high inbound or outbound network activity. Unexpected spikes in network traffic may signify unauthorized data transfers, or abnormal behavior within the microservices ecosystem. Such activity might signify data exfiltration, unauthorized lateral movement, within the microservices environment. If a bad actor is responsible for this traffic they could compromise additional services or extract sensitive data, potentially leading to data breaches. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection detects network traffic volume anomalies between workloads in a microservices hosted application, or between a workload and the outside world if the workload is shown as (unknown). This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on (https://splunkbase.splunk.com/app/5247). This detection compares the tcp.bytes, tcp.new_sockets, tcp.packets, udp.bytes, udp.packets metrics between workloads over the last 1 hour, with the average of those metrics over the last 30 days in order to detect any anonymously high inbound or outbound network activity. Unexpected spikes in network traffic may signify unauthorized data transfers, or abnormal behavior within the microservices ecosystem. Such activity might signify data exfiltration, unauthorized lateral movement, within the microservices environment. If a bad actor is responsible for this traffic they could compromise additional services or extract sensitive data, potentially leading to data breaches. action.escu.how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\ @@ -10543,7 +10807,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes Anomalous Traffic on Network Edge in kubernetes cluster $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] +action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -10551,7 +10815,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Anomalous Traffic on Network Edge - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -10608,7 +10872,7 @@ search = `kube_audit` user.username="system:anonymous" user.groups{} IN ("system action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of privileged pods in Kubernetes. It identifies this behavior by monitoring Kubernetes Audit logs for the creation of pods with root privileges. This behavior is worth identifying for a SOC as it could potentially allow an attacker to escalate privileges, exploit the kernel, and gain full access to the host's namespace and devices. The impact of such an attack could be severe, leading to unauthorized access to sensitive information, data breaches, and service disruptions. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the creation of privileged pods in Kubernetes. It identifies this behavior by monitoring Kubernetes Audit logs for the creation of pods with root privileges. This behavior is worth identifying for a SOC as it could potentially allow an attacker to escalate privileges, exploit the kernel, and gain full access to the host's namespace and devices. The impact of such an attack could be severe, leading to unauthorized access to sensitive information, data breaches, and service disruptions. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. @@ -10623,7 +10887,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Kubernetes privileged pod created by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 49}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -10631,7 +10895,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Create or Update Privileged Pod - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -10648,7 +10912,7 @@ search = `kube_audit` objectRef.resource=pods verb=create OR verb=update request action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of a Kubernetes cron job, a task scheduled to run automatically at specified intervals. It identifies this behavior by monitoring Kubernetes Audit logs for creation of a cron job. This behavior is worth identifying for a SOC as it could potentially allow an attacker to execute malicious tasks repeatedly and automatically, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to persistent attacks, service disruptions, or unauthorized access to sensitive information. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1053.007"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.007"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the creation of a Kubernetes cron job, a task scheduled to run automatically at specified intervals. It identifies this behavior by monitoring Kubernetes Audit logs for creation of a cron job. This behavior is worth identifying for a SOC as it could potentially allow an attacker to execute malicious tasks repeatedly and automatically, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to persistent attacks, service disruptions, or unauthorized access to sensitive information. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. @@ -10663,7 +10927,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Kubernetes cron job creation from user $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 49}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -10671,7 +10935,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Cron Job Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "mitre_attack": ["T1053.007"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.007"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -10688,7 +10952,7 @@ search = `kube_audit` verb=create "objectRef.resource"=cronjobs | fillnull | sta action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of a DaemonSet in a Kubernetes cluster. A DaemonSet ensures the presence of a specific pod on every node in the cluster, making it an ideal avenue for persistent access. This behavior is identified by monitoring Kubernetes Audit logs for the creation of a DaemonSet. The identified behavior is worth noting for a SOC as it could potentially allow an attacker to maintain persistent access to the Kubernetes infrastructure. The impact of such an attack could be severe, leading to persistent attacks, service disruptions, or unauthorized access to sensitive information. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the creation of a DaemonSet in a Kubernetes cluster. A DaemonSet ensures the presence of a specific pod on every node in the cluster, making it an ideal avenue for persistent access. This behavior is identified by monitoring Kubernetes Audit logs for the creation of a DaemonSet. The identified behavior is worth noting for a SOC as it could potentially allow an attacker to maintain persistent access to the Kubernetes infrastructure. The impact of such an attack could be severe, leading to persistent attacks, service disruptions, or unauthorized access to sensitive information. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. @@ -10703,7 +10967,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = DaemonSet deployed to Kubernetes by user $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 49}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -10711,7 +10975,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes DaemonSet Deployed - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -10728,7 +10992,7 @@ search = `kube_audit` "objectRef.resource"=daemonsets verb=create | fillnull | s action.escu = 0 action.escu.enabled = 1 description = The following analytic detects instances where a shell is spawned within a Kubernetes container, a behavior often indicative of an attacker gaining unauthorized access. Leveraging Falco, a cloud-native runtime security tool, this analytic monitors system calls within the Kubernetes environment, flagging when a shell is spawned in a container. This behavior is worth identifying for a SOC as it could potentially allow an attacker to execute arbitrary commands, manipulate container processes, or escalate privileges, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to data breaches, service disruptions, or unauthorized access to sensitive information. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects instances where a shell is spawned within a Kubernetes container, a behavior often indicative of an attacker gaining unauthorized access. Leveraging Falco, a cloud-native runtime security tool, this analytic monitors system calls within the Kubernetes environment, flagging when a shell is spawned in a container. This behavior is worth identifying for a SOC as it could potentially allow an attacker to execute arbitrary commands, manipulate container processes, or escalate privileges, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to data breaches, service disruptions, or unauthorized access to sensitive information. action.escu.how_to_implement = The detection is based on data that originates from Falco, a cloud native runtime security tool. Falco is designed to detect anomalous activity in your applications and is a crucial component of this detection rule. To implement this detection rule, you need to install and configure Falco in your Kubernetes environment. Once Falco is set up, it will monitor the system calls in your Kubernetes infrastructure and generate logs for any suspicious activity. These logs are then ingested by Splunk for analysis. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. @@ -10751,7 +11015,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Falco Shell Spawned - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -10768,7 +11032,7 @@ search = `kube_container_falco` "A shell was spawned in a container" | fillnull action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic detects TCP communication between a newly seen source and destination workload pair. This is done to identify changes in network behavior between workloads in a kubernetes cluster. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares network activity between workloads over the last 1 hour, with those over the last 30 days in order to detect newly seen inter workload communication. Newly seen network connections in a microservices based app indicate a change in behavior which could indicate potential security threats or anomalies. Distributed applications typically have common established network connection topologies, and new connections are often either an indication of a change in the application or an active threat. Unauthorized connections may enable the attacker to infiltrate the applications ecosystem, potentially leading to data breaches, manipulation of sensitive information, or disruption of critical services. Bad actors may exploit these connections to gain access, escalate privileges, move laterally within the microservices, or introduce malicious code or payloads, putting the applications integrity, availability, and confidentiality at risk. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic detects TCP communication between a newly seen source and destination workload pair. This is done to identify changes in network behavior between workloads in a kubernetes cluster. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares network activity between workloads over the last 1 hour, with those over the last 30 days in order to detect newly seen inter workload communication. Newly seen network connections in a microservices based app indicate a change in behavior which could indicate potential security threats or anomalies. Distributed applications typically have common established network connection topologies, and new connections are often either an indication of a change in the application or an active threat. Unauthorized connections may enable the attacker to infiltrate the applications ecosystem, potentially leading to data breaches, manipulation of sensitive information, or disruption of critical services. Bad actors may exploit these connections to gain access, escalate privileges, move laterally within the microservices, or introduce malicious code or payloads, putting the applications integrity, availability, and confidentiality at risk. action.escu.how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\ @@ -10787,7 +11051,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes newly seen TCP edge in kubernetes cluster $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] +action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -10795,7 +11059,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes newly seen TCP edge - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -10812,7 +11076,7 @@ search = | mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metr action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic detects UDP communication between a newly seen source and destination workload pair. This is done to identify changes in network behavior between workloads in a kubernetes cluster. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares network activity between workloads over the last 1 hour, with those over the last 30 days in order to detect newly seen inter workload communication. Newly seen network connections in a microservices based app indicate a change in behavior which could indicate potential security threats or anomalies. Distributed applications typically have common established network connection topologies, and new connections are often either an indication of a change in the application or an active threat. Unauthorized connections may enable the attacker to infiltrate the applications ecosystem, potentially leading to data breaches, manipulation of sensitive information, or disruption of critical services. Bad actors may exploit these connections to gain access, escalate privileges, move laterally within the microservices, or introduce malicious code or payloads, putting the applications integrity, availability, and confidentiality at risk. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic detects UDP communication between a newly seen source and destination workload pair. This is done to identify changes in network behavior between workloads in a kubernetes cluster. This detection leverages Network performance Monitoring metrics harvested using an OTEL collector, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares network activity between workloads over the last 1 hour, with those over the last 30 days in order to detect newly seen inter workload communication. Newly seen network connections in a microservices based app indicate a change in behavior which could indicate potential security threats or anomalies. Distributed applications typically have common established network connection topologies, and new connections are often either an indication of a change in the application or an active threat. Unauthorized connections may enable the attacker to infiltrate the applications ecosystem, potentially leading to data breaches, manipulation of sensitive information, or disruption of critical services. Bad actors may exploit these connections to gain access, escalate privileges, move laterally within the microservices, or introduce malicious code or payloads, putting the applications integrity, availability, and confidentiality at risk. action.escu.how_to_implement = To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and enable Network Performance Monitoring according to instructions found in Splunk Docs https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup In order to access those metrics from within Splunk Enterprise and ES, the Splunk Infrastructure Monitoring add-on must be installed and configured on a Splunk Search Head. Once installed, first configure the add-on with your O11y Cloud Org ID and Access Token. Lastly set up the add-on to ingest metrics from O11y cloud using the following settings, and any other settings left at default:\ @@ -10831,7 +11095,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes newly seen UDP edge in kubernetes cluster $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] +action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -10839,7 +11103,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes newly seen UDP edge - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -10856,7 +11120,7 @@ search = | mstats count(udp.packets) as udp.packets_count where `kubernetes_metr action.escu = 0 action.escu.enabled = 1 description = This search uses the Kubernetes logs from a nginx ingress controller to detect local file inclusion attacks. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1212"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search uses the Kubernetes logs from a nginx ingress controller to detect local file inclusion attacks. action.escu.how_to_implement = You must ingest Kubernetes logs through Splunk Connect for Kubernetes. @@ -10871,7 +11135,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = Local File Inclusion Attack detected on $host$ -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 49}] +action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -10879,7 +11143,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Nginx Ingress LFI - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "mitre_attack": ["T1212"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -10902,7 +11166,7 @@ search = `kubernetes_container_controller` | rex field=_raw "^(?\S+ action.escu = 0 action.escu.enabled = 1 description = This search uses the Kubernetes logs from a nginx ingress controller to detect remote file inclusion attacks. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1212"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search uses the Kubernetes logs from a nginx ingress controller to detect remote file inclusion attacks. action.escu.how_to_implement = You must ingest Kubernetes logs through Splunk Connect for Kubernetes. @@ -10917,7 +11181,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = Remote File Inclusion Attack detected on $host$ -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 49}] +action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -10925,7 +11189,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Nginx Ingress RFI - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "mitre_attack": ["T1212"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -10948,7 +11212,7 @@ search = `kubernetes_container_controller` | rex field=_raw "^(?\S+ action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of a Kubernetes node port service, an action that exposes a service to the external network. It identifies this behavior by monitoring Kubernetes Audit logs for creation of a Node Port service. This behavior is worth identifying for a SOC as it could potentially allow an attacker to access internal services, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to data breaches, service disruptions, or unauthorized access to sensitive information. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the creation of a Kubernetes node port service, an action that exposes a service to the external network. It identifies this behavior by monitoring Kubernetes Audit logs for creation of a Node Port service. This behavior is worth identifying for a SOC as it could potentially allow an attacker to access internal services, posing a significant threat to the integrity and security of the Kubernetes infrastructure. The impact of such an attack could be severe, leading to data breaches, service disruptions, or unauthorized access to sensitive information. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. @@ -10963,7 +11227,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Kubernetes node port creation from user $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 49}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -10971,7 +11235,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Node Port Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -10988,7 +11252,7 @@ search = `kube_audit` "objectRef.resource"=services verb=create requestObject.sp action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of pods in the default, kube-system, or kube-public namespaces. It identifies this behavior by monitoring Kubernetes audit logs for pod creation events in these namespaces. This behavior is worth identifying for a SOC as it may indicate an attacker attempting to hide their presence or evade defenses. Only administrators should typically create pods in the kube-system namespace, and the default and kube-public namespaces should not be used in production. The impact of the attack could be significant, as it may indicate a successful cluster breach and ongoing malicious activity. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the creation of pods in the default, kube-system, or kube-public namespaces. It identifies this behavior by monitoring Kubernetes audit logs for pod creation events in these namespaces. This behavior is worth identifying for a SOC as it may indicate an attacker attempting to hide their presence or evade defenses. Only administrators should typically create pods in the kube-system namespace, and the default and kube-public namespaces should not be used in production. The impact of the attack could be significant, as it may indicate a successful cluster breach and ongoing malicious activity. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. @@ -11003,7 +11267,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Kubernetes Pod Created in Default Namespace by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 49}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -11011,7 +11275,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Pod Created in Default Namespace - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -11028,7 +11292,7 @@ search = `kube_audit` objectRef.resource=pods verb=create objectRef.namespace IN action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of a pod with host network attachment in Kubernetes. It identifies this behavior by monitoring Kubernetes Audit logs for the creation or update of pods with host network configuration. This behavior is worth identifying for a SOC as it could potentially allow an attacker to listen to all network traffic on the node and other compute on the network namespace, capturing secrets passed in arguments or connections to escalate their privileges. The impact of such an attack could be severe, leading to unauthorized access to sensitive information, data breaches, and service disruptions. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the creation of a pod with host network attachment in Kubernetes. It identifies this behavior by monitoring Kubernetes Audit logs for the creation or update of pods with host network configuration. This behavior is worth identifying for a SOC as it could potentially allow an attacker to listen to all network traffic on the node and other compute on the network namespace, capturing secrets passed in arguments or connections to escalate their privileges. The impact of such an attack could be severe, leading to unauthorized access to sensitive information, data breaches, and service disruptions. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. @@ -11043,7 +11307,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Kubernetes pod with host network attachment from user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 49}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -11051,7 +11315,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Pod With Host Network Attachment - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -11068,7 +11332,7 @@ search = `kube_audit` objectRef.resource=pods verb=create OR verb=update request action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies containerised workloads that have been created using a previously unseen image. This detection leverages process metrics harvested using an OTEL collector and kubernetes cluster receiver, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection uses the k8s.container.ready metric to compare the container image names seen in the last 1 hour with those seen in the 30 days prior to those 1 hour, and alerts if a new container image is detected. When a container in a Kubernetes cluster created using a previously unseen image it raises potential security risks and unknown variables. Unfamiliar container images could contain vulnerabilities, malware, or misconfigurations that pose threats to the cluster's integrity and the applications it hosts. The absence of prior knowledge about the image makes it difficult to assess its trustworthiness, track its lineage, or verify its compliance with security policies. The potential security impact of a container created using a compromised image is significant. Compromised containers can potentially introduce malware, backdoors, or other malicious code into the containerized application, leading to data breaches, service disruptions, and unauthorized access within the Kubernetes cluster. A compromised image can serve as a foothold for lateral movement and privilege escalation, potentially compromising other containers, pods, or nodes in the cluster. Additionally, it may enable the actor to exfiltrate sensitive data, manipulate configurations, or execute arbitrary code, posing risks to the confidentiality, availability, and integrity of applications and data hosted within the cluster -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies containerised workloads that have been created using a previously unseen image. This detection leverages process metrics harvested using an OTEL collector and kubernetes cluster receiver, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection uses the k8s.container.ready metric to compare the container image names seen in the last 1 hour with those seen in the 30 days prior to those 1 hour, and alerts if a new container image is detected. When a container in a Kubernetes cluster created using a previously unseen image it raises potential security risks and unknown variables. Unfamiliar container images could contain vulnerabilities, malware, or misconfigurations that pose threats to the cluster's integrity and the applications it hosts. The absence of prior knowledge about the image makes it difficult to assess its trustworthiness, track its lineage, or verify its compliance with security policies. The potential security impact of a container created using a compromised image is significant. Compromised containers can potentially introduce malware, backdoors, or other malicious code into the containerized application, leading to data breaches, service disruptions, and unauthorized access within the Kubernetes cluster. A compromised image can serve as a foothold for lateral movement and privilege escalation, potentially compromising other containers, pods, or nodes in the cluster. Additionally, it may enable the actor to exfiltrate sensitive data, manipulate configurations, or execute arbitrary code, posing risks to the confidentiality, availability, and integrity of applications and data hosted within the cluster action.escu.how_to_implement = To implement this detection, follow these steps: \ @@ -11094,7 +11358,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes Previously Unseen Container Image Name on host $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] +action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -11102,7 +11366,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Previously Unseen Container Image Name - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -11119,7 +11383,7 @@ search = | mstats count(k8s.container.ready) as k8s.container.ready_count where action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic detects newly seen process within the Kubernetes scope on a master or worker node. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiever, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the processes seen for each node over the previous 1 hour with those over the previous 30 days up until the previous 1 hour. The specific metric used by this detection is process.memory.utilization. Newly seen processes on a Kubernetes worker node are concerning as they may represent security risks and anomalies that could be related to unauthorized activity. New processes may be introduced in an attempt to compromise the node or gain control of the Kubernetes cluster. By detecting these processes, they can be investigated, and correlated with other anomalous activity for that host. Newly seen processes may be part of an attacker's strategy to compromise the node, gain unauthorized access, and subsequently extend their control to the entire Kubernetes cluster. These processes could facilitate activities such as data exfiltration, privilege escalation, denial-of-service attacks, or the introduction of malware and backdoors, putting sensitive data, applications, and the entire infrastructure at risk. The consequences may include data breaches, service disruptions, financial losses, and reputational damage, underscoring the need to identify anomalous process and associate them with any concurrent risk activity. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic detects newly seen process within the Kubernetes scope on a master or worker node. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiever, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the processes seen for each node over the previous 1 hour with those over the previous 30 days up until the previous 1 hour. The specific metric used by this detection is process.memory.utilization. Newly seen processes on a Kubernetes worker node are concerning as they may represent security risks and anomalies that could be related to unauthorized activity. New processes may be introduced in an attempt to compromise the node or gain control of the Kubernetes cluster. By detecting these processes, they can be investigated, and correlated with other anomalous activity for that host. Newly seen processes may be part of an attacker's strategy to compromise the node, gain unauthorized access, and subsequently extend their control to the entire Kubernetes cluster. These processes could facilitate activities such as data exfiltration, privilege escalation, denial-of-service attacks, or the introduction of malware and backdoors, putting sensitive data, applications, and the entire infrastructure at risk. The consequences may include data breaches, service disruptions, financial losses, and reputational damage, underscoring the need to identify anomalous process and associate them with any concurrent risk activity. action.escu.how_to_implement = To implement this detection, follow these steps: \ @@ -11145,7 +11409,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes Previously Unseen Process on host $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] +action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -11153,7 +11417,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Previously Unseen Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -11170,7 +11434,7 @@ search = | mstats count(process.memory.utilization) as process.memory.utilizati action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic detects processes running within the same scope as Kubernetes that have been run from a newly seen path. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiever, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the processes seen for each node over the previous 1 hour with those over the previous 30 days up until the previous 1 hour, and alerts if the path for that process was not seen over the previous 30 days. The specific metric used by this detection is process.memory.utilization. Processes running from a newly seen path can signify potential security risks and anomalies. A process executing from an unfamiliar file path may indicate unauthorized changes to the file system, a compromised node, or the introduction of malicious software. If the presence of a process running from a newly seen file path on a Kubernetes node indicates malicious activity, the security implications could be severe. It suggests that an attacker has potentially compromised the node, allowing them to execute unauthorized processes and potentially gain control over critical resources. This could lead to further exploitation, data exfiltration, privilege escalation, or the introduction of malware and backdoors within the Kubernetes cluster. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic detects processes running within the same scope as Kubernetes that have been run from a newly seen path. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiever, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection compares the processes seen for each node over the previous 1 hour with those over the previous 30 days up until the previous 1 hour, and alerts if the path for that process was not seen over the previous 30 days. The specific metric used by this detection is process.memory.utilization. Processes running from a newly seen path can signify potential security risks and anomalies. A process executing from an unfamiliar file path may indicate unauthorized changes to the file system, a compromised node, or the introduction of malicious software. If the presence of a process running from a newly seen file path on a Kubernetes node indicates malicious activity, the security implications could be severe. It suggests that an attacker has potentially compromised the node, allowing them to execute unauthorized processes and potentially gain control over critical resources. This could lead to further exploitation, data exfiltration, privilege escalation, or the introduction of malware and backdoors within the Kubernetes cluster. action.escu.how_to_implement = To implement this detection, follow these steps: \ @@ -11196,7 +11460,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes Process Running From New Path on host $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] +action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -11204,7 +11468,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Process Running From New Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -11221,7 +11485,7 @@ search = | mstats count(process.memory.utilization) as process.memory.utilizatio action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic identifies high resource utilization anomalies in Kubernetes processes. It uses process metrics from an OTEL collector and hostmetrics receiver, fetched from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. The detection uses a lookup table with average and standard deviation values for various process metrics to identify anomalies. High resource utilization can indicate security threats or operational issues, such as cryptojacking, unauthorized data exfiltration, or compromised containers. These anomalies can disrupt services, exhaust resources, increase costs, and allow attackers to evade detection or maintain access. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies high resource utilization anomalies in Kubernetes processes. It uses process metrics from an OTEL collector and hostmetrics receiver, fetched from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. The detection uses a lookup table with average and standard deviation values for various process metrics to identify anomalies. High resource utilization can indicate security threats or operational issues, such as cryptojacking, unauthorized data exfiltration, or compromised containers. These anomalies can disrupt services, exhaust resources, increase costs, and allow attackers to evade detection or maintain access. action.escu.how_to_implement = To implement this detection, follow these steps: \ @@ -11247,7 +11511,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes Process with Anomalous Resource Utilisation on host $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] +action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -11255,7 +11519,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Process with Anomalous Resource Utilisation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -11272,7 +11536,7 @@ search = | mstats avg(process.*) as process.* where `kubernetes_metrics` by host action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic detects anomalously changes in the ratio between specific process resources on a Kubernetes node, based on the past behavior for each process running in the Kubernetes scope on that node. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiver, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection also leverages a lookup table that contains average and standard deviation for the cpu:disk operations, cpu:mem, cpu:thread count, disk operations:thread count, and mem:disk operations ratios. This is used to indicate an anomalous change in resource ratios that indicate the workload has changed behavior irrespective of load. Changes in the relationship between utilization of different resources can indicate a change in behavior of the monitored process, which can indicate a potentially compromised application. Deviations in resource ratios, such as memory-to-CPU or CPU-to-disk utilization, may signify compromised processes, malicious activity, or misconfigurations that could pose risks. A change in process behavior could signify a potential security breach within the Kubernetes environment, where an attacker may have compromised a process either on the node or running within a container. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic detects anomalously changes in the ratio between specific process resources on a Kubernetes node, based on the past behavior for each process running in the Kubernetes scope on that node. This detection leverages process metrics harvested using an OTEL collector and hostmetrics receiver, and is pulled from Splunk Observability cloud using the Splunk Infrastructure Monitoring Add-on. (https://splunkbase.splunk.com/app/5247). This detection also leverages a lookup table that contains average and standard deviation for the cpu:disk operations, cpu:mem, cpu:thread count, disk operations:thread count, and mem:disk operations ratios. This is used to indicate an anomalous change in resource ratios that indicate the workload has changed behavior irrespective of load. Changes in the relationship between utilization of different resources can indicate a change in behavior of the monitored process, which can indicate a potentially compromised application. Deviations in resource ratios, such as memory-to-CPU or CPU-to-disk utilization, may signify compromised processes, malicious activity, or misconfigurations that could pose risks. A change in process behavior could signify a potential security breach within the Kubernetes environment, where an attacker may have compromised a process either on the node or running within a container. action.escu.how_to_implement = To implement this detection, follow these steps: \ @@ -11298,7 +11562,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes Process with Resource Ratio Anomalies on host $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] +action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -11306,7 +11570,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Process with Resource Ratio Anomalies - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -11323,7 +11587,7 @@ search = | mstats avg(process.*) as process.* where `kubernetes_metrics` by host action.escu = 0 action.escu.enabled = 1 description = This search uses the Kubernetes logs from Splunk Connect from Kubernetes to detect Kubernetes Security Scanner. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search uses the Kubernetes logs from Splunk Connect from Kubernetes to detect Kubernetes Security Scanner. action.escu.how_to_implement = You must ingest Kubernetes logs through Splunk Connect for Kubernetes. @@ -11338,7 +11602,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Dev Sec Ops"] action.risk = 1 action.risk.param._risk_message = Kubernetes Scanner image pulled on host $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 81}] +action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 81}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -11346,7 +11610,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Scanner Image Pulling - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 90, "mitre_attack": ["T1526"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -11369,7 +11633,7 @@ search = `kube_objects_events` object.message IN ("Pulling image *kube-hunter*", action.escu = 0 action.escu.enabled = 1 description = This detection rule is designed to identify potential scanning activities within a Kubernetes environment. Scanning is a common preliminary step in an attack, where the attacker tries to gather information about the system to find potential vulnerabilities. In the context of Kubernetes, scanning could involve activities like unauthorized access attempts, probing public APIs, or trying to exploit known vulnerabilities. This rule triggers an alert when such suspicious activities are detected, helping to ensure the security of your Kubernetes infrastructure. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1046"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1046"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection rule is designed to identify potential scanning activities within a Kubernetes environment. Scanning is a common preliminary step in an attack, where the attacker tries to gather information about the system to find potential vulnerabilities. In the context of Kubernetes, scanning could involve activities like unauthorized access attempts, probing public APIs, or trying to exploit known vulnerabilities. This rule triggers an alert when such suspicious activities are detected, helping to ensure the security of your Kubernetes infrastructure. action.escu.how_to_implement = You must ingest Kubernetes audit logs. @@ -11384,7 +11648,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Kubernetes scanning from ip $src_ip$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 49}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -11392,7 +11656,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Scanning by Unauthenticated IP Address - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "mitre_attack": ["T1046"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1046"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -11409,7 +11673,7 @@ search = `kube_audit` "user.groups{}"="system:unauthenticated" "responseStatus.c action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic identifies shell activity within the Kubernetes privilege scope on a worker node, returning a list of shell processes regardless of CPU resource consumption. It uses process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. Metrics used are process.cpu.utilization and process.memory.utilization. Shell processes can indicate unauthorized or suspicious activity, posing a security threat. Shell access to worker nodes can provide attackers an entry point to compromise the node and the entire Kubernetes cluster. Monitoring and detecting shell processes is crucial for anomaly identification, security policy enforcement, and breach mitigation. Unauthorized shell processes on a Kubernetes worker node can severely compromise the cluster's security and integrity. Such access can lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks within the cluster. It may also enable attackers to manipulate configurations, deploy malicious containers, and execute arbitrary code, posing a severe risk to the confidentiality, availability, and integrity of applications and sensitive data. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies shell activity within the Kubernetes privilege scope on a worker node, returning a list of shell processes regardless of CPU resource consumption. It uses process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. Metrics used are process.cpu.utilization and process.memory.utilization. Shell processes can indicate unauthorized or suspicious activity, posing a security threat. Shell access to worker nodes can provide attackers an entry point to compromise the node and the entire Kubernetes cluster. Monitoring and detecting shell processes is crucial for anomaly identification, security policy enforcement, and breach mitigation. Unauthorized shell processes on a Kubernetes worker node can severely compromise the cluster's security and integrity. Such access can lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks within the cluster. It may also enable attackers to manipulate configurations, deploy malicious containers, and execute arbitrary code, posing a severe risk to the confidentiality, availability, and integrity of applications and sensitive data. action.escu.how_to_implement = To implement this detection, follow these steps: \ @@ -11435,7 +11699,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes shell running on worker node on host $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] +action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -11443,7 +11707,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Shell Running on Worker Node - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -11460,7 +11724,7 @@ search = | mstats avg(process.cpu.utilization) as process.cpu.utilization avg(pr action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic identifies shell activity within the Kubernetes privilege scope on a worker node. It returns shell processes only if they're consuming CPU resources. The detection uses process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. The metrics used are process.cpu.utilization and process.memory.utilization. Shell processes can indicate unauthorized activity, posing a security threat. Attackers could compromise the node and the entire Kubernetes cluster via shell access to worker nodes. Monitoring shell processes is crucial for anomaly detection, policy enforcement, and breach mitigation. Unauthorized shell processes on a Kubernetes worker node could severely impact the cluster's security and integrity. Attackers could gain full control over the host's resources and file system, compromising all hosted workloads and data. This access could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks within the cluster. Attackers could also manipulate configurations, deploy malicious containers, and execute arbitrary code, severely risking the confidentiality, availability, and integrity of applications and sensitive data. A rapid and comprehensive incident response is required to mitigate and recover from such a breach. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies shell activity within the Kubernetes privilege scope on a worker node. It returns shell processes only if they're consuming CPU resources. The detection uses process metrics from an OTEL collector hostmetrics receiver, pulled from Splunk Observability cloud via the Splunk Infrastructure Monitoring Add-on. The metrics used are process.cpu.utilization and process.memory.utilization. Shell processes can indicate unauthorized activity, posing a security threat. Attackers could compromise the node and the entire Kubernetes cluster via shell access to worker nodes. Monitoring shell processes is crucial for anomaly detection, policy enforcement, and breach mitigation. Unauthorized shell processes on a Kubernetes worker node could severely impact the cluster's security and integrity. Attackers could gain full control over the host's resources and file system, compromising all hosted workloads and data. This access could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks within the cluster. Attackers could also manipulate configurations, deploy malicious containers, and execute arbitrary code, severely risking the confidentiality, availability, and integrity of applications and sensitive data. A rapid and comprehensive incident response is required to mitigate and recover from such a breach. action.escu.how_to_implement = To implement this detection, follow these steps: \ @@ -11486,7 +11750,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"] action.risk = 1 action.risk.param._risk_message = Kubernetes shell with cpu activity running on worker node on host $host$ -action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "system", "risk_score": 25}] +action.risk.param._risk = [{"risk_object_field": "host", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -11494,7 +11758,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Kubernetes Shell Running on Worker Node with CPU Activity - Rule -action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -11511,7 +11775,7 @@ search = | mstats avg(process.cpu.utilization) as process.cpu.utilization avg(pr action.escu = 0 action.escu.enabled = 1 description = The following analytic detects instances of suspicious image pulling in Kubernetes. It identifies this behavior by monitoring Kubernetes audit logs for image pull requests that do not match a predefined list of allowed images. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to deploy malicious software or infiltrate the system. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects instances of suspicious image pulling in Kubernetes. It identifies this behavior by monitoring Kubernetes audit logs for image pull requests that do not match a predefined list of allowed images. This behavior is worth identifying for a SOC as it could indicate an attacker attempting to deploy malicious software or infiltrate the system. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. @@ -11526,7 +11790,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Suspicious image $objectRef.name$ pulled in Kubernetes from ip $src_ip$ by user $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 49}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -11534,7 +11798,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Suspicious Image Pulling - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "mitre_attack": ["T1526"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -11551,7 +11815,7 @@ search = `kube_audit` requestObject.message="Pulling image*" | search NOT `kube_ action.escu = 0 action.escu.enabled = 1 description = The following analytic detects unauthorized access to Kubernetes by monitoring Kubernetes audit logs. It identifies anomalies in access patterns by segmenting and analyzing the source of requests. Unauthorized access is worth identifying for a SOC as it could indicate an attacker attempting to infiltrate the system. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects unauthorized access to Kubernetes by monitoring Kubernetes audit logs. It identifies anomalies in access patterns by segmenting and analyzing the source of requests. Unauthorized access is worth identifying for a SOC as it could indicate an attacker attempting to infiltrate the system. The impact of such an attack could be severe, potentially leading to unauthorized access to sensitive systems or data. action.escu.how_to_implement = The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster. Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities. Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server. Use the Splunk OpenTelemetry Collector for Kubernetes to collect the logs. This doc will describe how to collect the audit log file https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md. @@ -11566,7 +11830,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Kubernetes Security"] action.risk = 1 action.risk.param._risk_message = Unauthorized access to Kubernetes from user $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 49}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 49}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -11574,7 +11838,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kubernetes Unauthorized Access - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "mitre_attack": ["T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Security"], "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -11591,7 +11855,7 @@ search = `kube_audit` verb=create responseStatus.reason=Forbidden | fillnull | s action.escu = 0 action.escu.enabled = 1 description = This search is designed to detect the creation of a new Federation setting by alerting on a specific event associated with its creation. By monitoring for this event, the search can identify any instances where a Federation setting is being created within the system. This can help in detecting and monitoring any unauthorized or suspicious changes to the Federation settings, providing an additional layer of security for your environment. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is designed to detect the creation of a new Federation setting by alerting on a specific event associated with its creation. By monitoring for this event, the search can identify any instances where a Federation setting is being created within the system. This can help in detecting and monitoring any unauthorized or suspicious changes to the Federation settings, providing an additional layer of security for your environment. action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity @@ -11614,7 +11878,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Add App Role Assignment Grant User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "Cloud Federated Credential Abuse"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "Cloud Federated Credential Abuse"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -11637,7 +11901,7 @@ search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Add action.escu = 0 action.escu.enabled = 1 description = The following analytic detects addition of new service principal accounts added to O365 tenants. Attackers can abuse service principals in Office 365 (now known as Microsoft 365) to gain unauthorized access and perform malicious actions within an organization's environment. Service principals are essentially non-human accounts used by applications, services, or scripts to access resources and interact with APIs on behalf of the organization. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects addition of new service principal accounts added to O365 tenants. Attackers can abuse service principals in Office 365 (now known as Microsoft 365) to gain unauthorized access and perform malicious actions within an organization's environment. Service principals are essentially non-human accounts used by applications, services, or scripts to access resources and interact with APIs on behalf of the organization. action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity @@ -11649,7 +11913,7 @@ action.escu.full_search_name = ESCU - O365 Added Service Principal - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "Cloud Federated Credential Abuse"] +action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "Cloud Federated Credential Abuse", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = User $src_user$ has created new service principal $new_value$ in AzureActiveDirectory action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 42}] @@ -11660,7 +11924,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Added Service Principal - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "Cloud Federated Credential Abuse"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "Cloud Federated Credential Abuse", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -11679,11 +11943,57 @@ realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory Operation="*Add service principal*" OR (Operation = "*principal*" AND action = "created") | stats count values(ModifiedProperties{}.NewValue) as new_value by src_user src_user_type action Operation authentication_service Workload | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_added_service_principal_filter` +[ESCU - O365 Admin Consent Bypassed by Service Principal - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = This detection targets situations where a service principal in Office 365 Azure Active Directory assigns app roles without the standard admin consent, a potential security breach. Using o365_management_activity logs, it examines the 'Add app role assignment to service principal' operation, focusing on service principals and extracting details like role ID and description. This is critical for SOCs to detect potential bypassing of crucial administrative controls, which could lead to unauthorized access or privilege escalation. A true positive implies a service principal might be misusing automated processes to assign sensitive permissions. +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} +action.escu.data_models = [] +action.escu.eli5 = This detection targets situations where a service principal in Office 365 Azure Active Directory assigns app roles without the standard admin consent, a potential security breach. Using o365_management_activity logs, it examines the 'Add app role assignment to service principal' operation, focusing on service principals and extracting details like role ID and description. This is critical for SOCs to detect potential bypassing of crucial administrative controls, which could lead to unauthorized access or privilege escalation. A true positive implies a service principal might be misusing automated processes to assign sensitive permissions. +action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +action.escu.known_false_positives = Service Principals are sometimes configured to legitimately bypass the consent process for purposes of automation. Filter as needed. +action.escu.creation_date = 2024-02-09 +action.escu.modification_date = 2024-02-09 +action.escu.confidence = high +action.escu.full_search_name = ESCU - O365 Admin Consent Bypassed by Service Principal - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] +action.risk = 1 +action.risk.param._risk_message = Service principal $src_user$ bypassed the admin consent process and granted permissions to $dest_user$ +action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "other", "risk_score": 54}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - O365 Admin Consent Bypassed by Service Principal - Rule +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} +schedule_window = auto +action.notable = 1 +action.notable.param.nes_fields = user,dest +action.notable.param.rule_description = This detection targets situations where a service principal in Office 365 Azure Active Directory assigns app roles without the standard admin consent, a potential security breach. Using o365_management_activity logs, it examines the 'Add app role assignment to service principal' operation, focusing on service principals and extracting details like role ID and description. This is critical for SOCs to detect potential bypassing of crucial administrative controls, which could lead to unauthorized access or privilege escalation. A true positive implies a service principal might be misusing automated processes to assign sensitive permissions. +action.notable.param.rule_title = O365 Admin Consent Bypassed by Service Principal +action.notable.param.security_domain = identity +action.notable.param.severity = high +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Add app role assignment to service principal." | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | eval roleId = mvindex('ModifiedProperties{}.NewValue', 0) | eval roleValue = mvindex('ModifiedProperties{}.NewValue', 1) | eval roleDescription = mvindex('ModifiedProperties{}.NewValue', 2) | eval dest_user = mvindex('Target{}.ID', 0) | search userType = "ServicePrincipal" | eval src_user = user | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user dest_user roleId roleValue roleDescription | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_admin_consent_bypassed_by_service_principal_filter` + [ESCU - O365 Advanced Audit Disabled - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies instances where the O365 advanced audit is disabled for a specific user within the Office 365 tenant. It leverages O365 audit logs, specifically events related to audit license changes or modifications within the AzureActiveDirectory workloads. The O365 advanced audit provides granular logging and insights into user and administrator activities, making it a crucial tool for security monitoring and incident response. Disabling this audit for a user can blind security teams to potential malicious or unauthorized activities related to that user's mailbox or account. Attackers may disable these audits to obscure their actions and reduce the chances of detection. If an attacker successfully disables the O365 advanced audit for a user, they can operate within that user's mailbox or account with reduced risk of detection. This can lead to unauthorized data access, data exfiltration, account compromise, or other malicious activities without leaving a detailed audit trail. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] action.escu.eli5 = The following analytic identifies instances where the O365 advanced audit is disabled for a specific user within the Office 365 tenant. It leverages O365 audit logs, specifically events related to audit license changes or modifications within the AzureActiveDirectory workloads. The O365 advanced audit provides granular logging and insights into user and administrator activities, making it a crucial tool for security monitoring and incident response. Disabling this audit for a user can blind security teams to potential malicious or unauthorized activities related to that user's mailbox or account. Attackers may disable these audits to obscure their actions and reduce the chances of detection. If an attacker successfully disables the O365 advanced audit for a user, they can operate within that user's mailbox or account with reduced risk of detection. This can lead to unauthorized data access, data exfiltration, account compromise, or other malicious activities without leaving a detailed audit trail. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. @@ -11698,7 +12008,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] action.risk = 1 action.risk.param._risk_message = Advanced auditing for user $object$ was disabled by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 32}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 32}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -11706,7 +12016,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Advanced Audit Disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562", "T1562.008"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -11729,7 +12039,7 @@ search = `o365_management_activity` Operation="Change user license." | eval pro action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies instances where a new owner is assigned to an application registration within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in owner assignments within the AzureActiveDirectory workload for application registrations. Assigning a new owner to an application registration can grant significant control over the application's configuration, permissions, and behavior. An unauthorized or inadvertent change in ownership can lead to misuse of the application, potentially affecting data access, user permissions, or the application's interactions within the tenant. Monitoring for such changes ensures that only legitimate and authorized personnel have control over application registrations. If an attacker successfully assigns themselves or a compromised account as an owner to an application registration, they can modify the application's settings, permissions, and behavior. This can lead to unauthorized data access, escalation of privileges, or the introduction of malicious behavior within the application's operations -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies instances where a new owner is assigned to an application registration within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in owner assignments within the AzureActiveDirectory workload for application registrations. Assigning a new owner to an application registration can grant significant control over the application's configuration, permissions, and behavior. An unauthorized or inadvertent change in ownership can lead to misuse of the application, potentially affecting data access, user permissions, or the application's interactions within the tenant. Monitoring for such changes ensures that only legitimate and authorized personnel have control over application registrations. If an attacker successfully assigns themselves or a compromised account as an owner to an application registration, they can modify the application's settings, permissions, and behavior. This can lead to unauthorized data access, escalation of privileges, or the introduction of malicious behavior within the application's operations action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. @@ -11741,10 +12051,10 @@ action.escu.full_search_name = ESCU - O365 Application Registration Owner Added action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] +action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = Application registration $app_displayName$ was assigned a new owner $object$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -11752,7 +12062,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Application Registration Owner Added - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -11775,7 +12085,7 @@ search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Add action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the assignment of the ApplicationImpersonation role in Office 365, either to a user or an application. This analytic leverages the Office 365 Management Activity API, specifically monitoring for events related to role assignments and changes within the Azure Active Directory audit logs. The ApplicationImpersonation role allows a security principal to impersonate any user within the organization and perform actions on their behalf, such as accessing or modifying their mailbox. This role, if misused or granted inappropriately, can pose a significant security risk. Monitoring the assignment of this role is crucial as it can be an indicator of potential malicious activity or misconfigurations. If an attacker successfully assigns the ApplicationImpersonation role to a malicious user or application, they can gain the ability to impersonate any user within the organization. This can lead to unauthorized access to sensitive information, manipulation of mailbox data, and other malicious actions. The attacker can effectively masquerade as a legitimate user, making their actions harder to detect and potentially causing significant harm to the organization. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the assignment of the ApplicationImpersonation role in Office 365, either to a user or an application. This analytic leverages the Office 365 Management Activity API, specifically monitoring for events related to role assignments and changes within the Azure Active Directory audit logs. The ApplicationImpersonation role allows a security principal to impersonate any user within the organization and perform actions on their behalf, such as accessing or modifying their mailbox. This role, if misused or granted inappropriately, can pose a significant security risk. Monitoring the assignment of this role is crucial as it can be an indicator of potential malicious activity or misconfigurations. If an attacker successfully assigns the ApplicationImpersonation role to a malicious user or application, they can gain the ability to impersonate any user within the organization. This can lead to unauthorized access to sensitive information, manipulation of mailbox data, and other malicious actions. The attacker can effectively masquerade as a legitimate user, making their actions harder to detect and potentially causing significant harm to the organization. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. @@ -11787,10 +12097,10 @@ action.escu.full_search_name = ESCU - O365 ApplicationImpersonation Role Assigne action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] +action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = $user$ granted the ApplicationImpersonation role to $target_user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -11798,7 +12108,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 ApplicationImpersonation Role Assigned - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -11821,7 +12131,7 @@ search = `o365_management_activity` Workload=Exchange Operation="New-ManagementR action.escu = 0 action.escu.enabled = 1 description = This analytic detects when the "risk-based step-up consent" security setting in Microsoft 365 is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative "step-up" for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Risk"] action.escu.eli5 = This analytic detects when the "risk-based step-up consent" security setting in Microsoft 365 is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative "step-up" for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. @@ -11836,7 +12146,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Office 365 Account Takeover"] action.risk = 1 action.risk.param._risk_message = Risk-based step-up consent security setting was disabled by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -11844,7 +12154,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Block User Consent For Risky Apps Disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "mitre_attack": ["T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -11867,7 +12177,7 @@ search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Upd action.escu = 0 action.escu.enabled = 1 description = This analytic identifies instances where new IP addresses are added to the trusted IPs list in Office 365, potentially allowing users from these IPs to bypass Multi-Factor Authentication (MFA) during login. The detection leverages O365 audit logs, specifically focusing on events related to the modification of trusted IP settings. By monitoring these logs, the analytic captures and alerts on any addition of new trusted IPs. Adding trusted IPs to bypass MFA is a significant security concern. While there might be legitimate reasons to add trusted IPs, such as for a new office location, there's also a risk of attackers or malicious insiders using this to facilitate unauthorized access. Monitoring for changes to the trusted IP list helps ensure that any attempt to bypass MFA is legitimate and authorized. If the detection is a true positive, it suggests that users logging in from the newly added trusted IP can bypass MFA, potentially weakening the security posture of the organization. This could lead to unauthorized access, especially if the IP was added maliciously. Immediate investigation is required to validate the legitimacy of the IP addition and to assess potential security implications. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This analytic identifies instances where new IP addresses are added to the trusted IPs list in Office 365, potentially allowing users from these IPs to bypass Multi-Factor Authentication (MFA) during login. The detection leverages O365 audit logs, specifically focusing on events related to the modification of trusted IP settings. By monitoring these logs, the analytic captures and alerts on any addition of new trusted IPs. Adding trusted IPs to bypass MFA is a significant security concern. While there might be legitimate reasons to add trusted IPs, such as for a new office location, there's also a risk of attackers or malicious insiders using this to facilitate unauthorized access. Monitoring for changes to the trusted IP list helps ensure that any attempt to bypass MFA is legitimate and authorized. If the detection is a true positive, it suggests that users logging in from the newly added trusted IP can bypass MFA, potentially weakening the security posture of the organization. This could lead to unauthorized access, especially if the IP was added maliciously. Immediate investigation is required to validate the legitimacy of the IP addition and to assess potential security implications. action.escu.how_to_implement = You must install Splunk Microsoft Office 365 add-on. This search works with o365:management:activity @@ -11882,7 +12192,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] action.risk = 1 action.risk.param._risk_message = User $user_id$ has added new IP addresses $ip_addresses_new_added$ to a list of trusted IPs to bypass MFA -action.risk.param._risk = [{"risk_object_field": "ip_addresses_new_added", "risk_object_type": "system", "risk_score": 42}, {"risk_object_field": "user_id", "risk_object_type": "user", "risk_score": 42}] +action.risk.param._risk = [{"risk_object_field": "ip_addresses_new_added", "risk_object_type": "other", "risk_score": 42}, {"risk_object_field": "user_id", "risk_object_type": "other", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -11890,7 +12200,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Bypass MFA via Trusted IP - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -11913,7 +12223,7 @@ search = `o365_management_activity` Operation="Set Company Information." Modifie action.escu = 0 action.escu.enabled = 1 description = The following analytic identies scenarios where the same user session is accessed from multiple IP addresses. This situation typically arises in an adversary-in-the-middle (AiTM) phishing attack, where attackers compromise user sessions. The detection method involves analyzing Azure Active Directory logs for 'UserLoggedIn' operations. It focuses on identifying sessions where the number of associated IP addresses exceeds one for the same SessionId. This pattern suggests potential unauthorized concurrent access, which is atypical under normal usage scenarios. If a true positive is identified, it implies that an adversary has gained unauthorized access to a user's Office 365 account. The ramifications of this can be significant, including data theft, account takeover, and launching of internal phishing campaigns. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identies scenarios where the same user session is accessed from multiple IP addresses. This situation typically arises in an adversary-in-the-middle (AiTM) phishing attack, where attackers compromise user sessions. The detection method involves analyzing Azure Active Directory logs for 'UserLoggedIn' operations. It focuses on identifying sessions where the number of associated IP addresses exceeds one for the same SessionId. This pattern suggests potential unauthorized concurrent access, which is atypical under normal usage scenarios. If a true positive is identified, it implies that an adversary has gained unauthorized access to a user's Office 365 account. The ramifications of this can be significant, including data theft, account takeover, and launching of internal phishing campaigns. action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity @@ -11928,7 +12238,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Office 365 Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ has logged in with the same session id from more than one unique IP address -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}, {"risk_object_field": "ips", "risk_object_type": "system", "risk_score": 42}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}, {"risk_object_field": "ips", "risk_object_type": "other", "risk_score": 42}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -11936,7 +12246,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Concurrent Sessions From Different Ips - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1185"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1185"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -11959,7 +12269,7 @@ search = `o365_management_activity` Workload=AzureActiveDirectory Operation=Us action.escu = 0 action.escu.enabled = 1 description = This analytic identifies instances where Multi-Factor Authentication (MFA) is disabled for a user within the Office 365 environment. Disabling MFA removes a critical security layer, making accounts more vulnerable to unauthorized access. The detection leverages O365 audit logs, specifically focusing on events related to MFA settings. By monitoring these logs, the analytic captures and alerts on any actions that result in the deactivation or disabling of MFA for a user. MFA is a cornerstone of modern security practices, providing an additional layer of protection beyond just a password. Disabling MFA, especially without a valid reason, poses a significant security risk. Attackers, after gaining initial access to an account, might disable MFA to ensure easier re-entry and persistence. Monitoring for such changes is crucial to detect potential security breaches and to ensure that security best practices are consistently applied. If the detection is a true positive, it indicates that a user's account is now at increased risk of unauthorized access, as the added security layer of MFA has been removed. This could be a sign of an attacker trying to maintain persistence or an insider threat. Immediate investigation is required to validate the reason for disabling MFA, potentially re-enable it, and assess any other suspicious activities related to the affected account. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1556"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.CM"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This analytic identifies instances where Multi-Factor Authentication (MFA) is disabled for a user within the Office 365 environment. Disabling MFA removes a critical security layer, making accounts more vulnerable to unauthorized access. The detection leverages O365 audit logs, specifically focusing on events related to MFA settings. By monitoring these logs, the analytic captures and alerts on any actions that result in the deactivation or disabling of MFA for a user. MFA is a cornerstone of modern security practices, providing an additional layer of protection beyond just a password. Disabling MFA, especially without a valid reason, poses a significant security risk. Attackers, after gaining initial access to an account, might disable MFA to ensure easier re-entry and persistence. Monitoring for such changes is crucial to detect potential security breaches and to ensure that security best practices are consistently applied. If the detection is a true positive, it indicates that a user's account is now at increased risk of unauthorized access, as the added security layer of MFA has been removed. This could be a sign of an attacker trying to maintain persistence or an insider threat. Immediate investigation is required to validate the reason for disabling MFA, potentially re-enable it, and assess any other suspicious activities related to the affected account. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 add-on. This search works with o365:management:activity @@ -11982,7 +12292,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Disable MFA - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1556"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -12005,7 +12315,7 @@ search = `o365_management_activity` Operation="Disable Strong Authentication." | action.escu = 0 action.escu.enabled = 1 description = This search detects when an excessive number of authentication failures occur this search also includes attempts against MFA prompt codes -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This search detects when an excessive number of authentication failures occur this search also includes attempts against MFA prompt codes action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity @@ -12020,7 +12330,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Office 365 Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ has caused excessive number of authentication failures from $src_ip$ using UserAgent $UserAgent$. -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] +action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -12028,7 +12338,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Excessive Authentication Failures Alert - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1110"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -12045,7 +12355,7 @@ search = `o365_management_activity` Workload=AzureActiveDirectory UserAuthentica action.escu = 0 action.escu.enabled = 1 description = The following analytic detects accounts with high number of Single Sign ON (SSO) logon errors. Excessive logon errors may indicate attempts to bruteforce of password or single sign on token hijack or reuse. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1556"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects accounts with high number of Single Sign ON (SSO) logon errors. Excessive logon errors may indicate attempts to bruteforce of password or single sign on token hijack or reuse. action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity @@ -12060,7 +12370,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Office 365 Account Takeover", "Cloud Federated Credential Abuse"] action.risk = 1 action.risk.param._risk_message = Excessive number of SSO logon errors from $src_ip$ using UserAgent $user_agent$. -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] +action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -12068,7 +12378,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Excessive SSO logon errors - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover", "Cloud Federated Credential Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1556"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover", "Cloud Federated Credential Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -12085,7 +12395,7 @@ search = `o365_management_activity` Workload=AzureActiveDirectory LogonError=*Ss action.escu = 0 action.escu.enabled = 1 description = This analytic identifies instances where a user in the Office 365 environment grants consent to an application that requests file permissions, specifically targeting OneDrive or SharePoint. Such permissions mean the application could potentially access, modify, or delete files stored within these services. The detection process leverages O365 audit logs, particularly focusing on events related to OAuth application consents. By examining these logs, the analytic is designed to capture and alert on any actions where users grant consent to applications requesting file-related permissions for OneDrive or SharePoint. The sensitivity of file permissions, especially in platforms as widely utilized as OneDrive and SharePoint, cannot be overstated. While many legitimate applications might require such permissions to operate, there's an inherent risk with malicious or overly permissive applications. Attackers could craft or exploit applications to gain file permissions, aiming to access, exfiltrate, or manipulate sensitive data housed in OneDrive or SharePoint. It's crucial for security operations centers to monitor these consents to ensure that only trustworthy applications gain access and that users aren't inadvertently granting permissions to potentially harmful applications. If this detection flags a true positive, it indicates that an application has been granted permissions that could allow it to interact with OneDrive or SharePoint files in potentially malicious ways. Such actions could lead to data breaches, data loss, or unauthorized data manipulation. Immediate investigation would be required to validate the application's legitimacy, understand the nature of its requested permissions, and assess the potential risks associated with the access it's been granted. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies instances where a user in the Office 365 environment grants consent to an application that requests file permissions, specifically targeting OneDrive or SharePoint. Such permissions mean the application could potentially access, modify, or delete files stored within these services. The detection process leverages O365 audit logs, particularly focusing on events related to OAuth application consents. By examining these logs, the analytic is designed to capture and alert on any actions where users grant consent to applications requesting file-related permissions for OneDrive or SharePoint. The sensitivity of file permissions, especially in platforms as widely utilized as OneDrive and SharePoint, cannot be overstated. While many legitimate applications might require such permissions to operate, there's an inherent risk with malicious or overly permissive applications. Attackers could craft or exploit applications to gain file permissions, aiming to access, exfiltrate, or manipulate sensitive data housed in OneDrive or SharePoint. It's crucial for security operations centers to monitor these consents to ensure that only trustworthy applications gain access and that users aren't inadvertently granting permissions to potentially harmful applications. If this detection flags a true positive, it indicates that an application has been granted permissions that could allow it to interact with OneDrive or SharePoint files in potentially malicious ways. Such actions could lead to data breaches, data loss, or unauthorized data manipulation. Immediate investigation would be required to validate the application's legitimacy, understand the nature of its requested permissions, and assess the potential risks associated with the access it's been granted. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. @@ -12108,7 +12418,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 File Permissioned Application Consent Granted by User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "mitre_attack": ["T1528"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -12127,11 +12437,57 @@ realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Consent to application." ResultStatus=Success | eval admin_consent =mvindex('ModifiedProperties{}.NewValue', 0) | search admin_consent=False | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4) | rex field=permissions "Scope: (?[^,]+)" | makemv delim=" " Scope | search Scope IN ("Files.Read", "Files.Read.All", "Files.ReadWrite", "Files.ReadWrite.All", "Files.ReadWrite.AppFolder") | stats max(_time) as lastTime values(Scope) by Operation, user, object, ObjectId | `security_content_ctime(lastTime)` | `o365_file_permissioned_application_consent_granted_by_user_filter` +[ESCU - O365 FullAccessAsApp Permission Assigned - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = The following analytic triggers on the assignment of the 'full_access_as_app' permission to an application registration in Office 365, specifically within Exchange Online. The 'full_access_as_app' permission, identified by its GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', allows an application extensive control over Office 365 operations, including access to all mailboxes and the ability to send mail as any user. The analytic focuses on the ResourceAppId '00000002-0000-0ff1-ce00-000000000000', pinpointing permissions granted to the Office 365 Exchange Online resource. By analyzing Office 365 management activity logs and filtering Azure Active Directory workload events, the query detects when this specific permission is assigned. Monitoring this assignment is vital due to the broad access it provides, which can lead to unauthorized data access or exfiltration if misused. A true positive detection requires immediate attention to prevent potential security risks like account compromise or data loss. +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.002", "T1098.003"], "nist": ["DE.CM"]} +action.escu.data_models = [] +action.escu.eli5 = The following analytic triggers on the assignment of the 'full_access_as_app' permission to an application registration in Office 365, specifically within Exchange Online. The 'full_access_as_app' permission, identified by its GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', allows an application extensive control over Office 365 operations, including access to all mailboxes and the ability to send mail as any user. The analytic focuses on the ResourceAppId '00000002-0000-0ff1-ce00-000000000000', pinpointing permissions granted to the Office 365 Exchange Online resource. By analyzing Office 365 management activity logs and filtering Azure Active Directory workload events, the query detects when this specific permission is assigned. Monitoring this assignment is vital due to the broad access it provides, which can lead to unauthorized data access or exfiltration if misused. A true positive detection requires immediate attention to prevent potential security risks like account compromise or data loss. +action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +action.escu.known_false_positives = The full_access_as_app API permission may be assigned to legitimate applications. Filter as needed. +action.escu.creation_date = 2024-01-29 +action.escu.modification_date = 2024-01-29 +action.escu.confidence = high +action.escu.full_search_name = ESCU - O365 FullAccessAsApp Permission Assigned - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "NOBELIUM Group"] +action.risk = 1 +action.risk.param._risk_message = User $user$ assigned the full_access_as_app permission to the app registration $object$ +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 48}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - O365 FullAccessAsApp Permission Assigned - Rule +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.002", "T1098.003"], "nist": ["DE.CM"]} +schedule_window = auto +action.notable = 1 +action.notable.param.nes_fields = user,dest +action.notable.param.rule_description = The following analytic triggers on the assignment of the 'full_access_as_app' permission to an application registration in Office 365, specifically within Exchange Online. The 'full_access_as_app' permission, identified by its GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', allows an application extensive control over Office 365 operations, including access to all mailboxes and the ability to send mail as any user. The analytic focuses on the ResourceAppId '00000002-0000-0ff1-ce00-000000000000', pinpointing permissions granted to the Office 365 Exchange Online resource. By analyzing Office 365 management activity logs and filtering Azure Active Directory workload events, the query detects when this specific permission is assigned. Monitoring this assignment is vital due to the broad access it provides, which can lead to unauthorized data access or exfiltration if misused. A true positive detection requires immediate attention to prevent potential security risks like account compromise or data loss. +action.notable.param.rule_title = O365 FullAccessAsApp Permission Assigned +action.notable.param.security_domain = identity +action.notable.param.severity = high +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Update application." | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | spath input=newvalue | search "{}.ResourceAppId"="00000002-0000-0ff1-ce00-000000000000" "{}.RequiredAppPermissions{}.EntitlementId"="dc890d15-9560-4a4c-9b7f-a736ec74ec40" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_fullaccessasapp_permission_assigned_filter` + [ESCU - O365 High Number Of Failed Authentications for User - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies an O365 account that has experienced more than 20 failed authentication events within a span of 5 minutes. This could be indicative of an attacker attempting to brute force or guess the password for that particular user account. It leverages the O365 Unified Audit Logs, specifically the "UserLoginFailed" events. By monitoring the frequency and volume of these events for individual users, the analytic can flag accounts that exceed the set threshold of failed attempts within the defined timeframe. Multiple failed login attempts in a short period can be a strong indicator of malicious activity. While there could be benign reasons, such as a user forgetting their password, the rapid succession of failed attempts is often a sign of an attacker trying to gain unauthorized access. By detecting and alerting on this behavior, the SOC can quickly investigate and take appropriate action, potentially stopping an attack in its early stages. Given that environments differ across organizations, security teams should consider customizing the threshold of this detection to better suit their specific needs and risk profile. If an attacker successfully guesses or brute-forces a user's password after numerous attempts, they can gain unauthorized access to the O365 environment. This unauthorized access could allow them to view sensitive emails, documents, and other data. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1110", "T1110.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies an O365 account that has experienced more than 20 failed authentication events within a span of 5 minutes. This could be indicative of an attacker attempting to brute force or guess the password for that particular user account. It leverages the O365 Unified Audit Logs, specifically the "UserLoginFailed" events. By monitoring the frequency and volume of these events for individual users, the analytic can flag accounts that exceed the set threshold of failed attempts within the defined timeframe. Multiple failed login attempts in a short period can be a strong indicator of malicious activity. While there could be benign reasons, such as a user forgetting their password, the rapid succession of failed attempts is often a sign of an attacker trying to gain unauthorized access. By detecting and alerting on this behavior, the SOC can quickly investigate and take appropriate action, potentially stopping an attack in its early stages. Given that environments differ across organizations, security teams should consider customizing the threshold of this detection to better suit their specific needs and risk profile. If an attacker successfully guesses or brute-forces a user's password after numerous attempts, they can gain unauthorized access to the O365 environment. This unauthorized access could allow them to view sensitive emails, documents, and other data. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. @@ -12146,7 +12502,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Office 365 Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ failed to authenticate more than 10 times in the span of 5 minutes. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 35}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -12154,7 +12510,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 High Number Of Failed Authentications for User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "mitre_attack": ["T1110", "T1110.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1110", "T1110.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -12177,7 +12533,7 @@ search = `o365_management_activity` Operation=UserLoginFailed record_type=Azur action.escu = 0 action.escu.enabled = 1 description = This analytic detects when high-privilege roles, specifically "Exchange Administrator", "SharePoint Administrator", or "Global Administrator", are granted within Office 365. By monitoring O365 audit logs for events where these administrative roles are assigned to any user or service account, the analytic provides insight into critical role changes. The assignment of these roles is of paramount importance to Security Operations Centers (SOCs) as they grant extensive permissions, allowing for broad access and control over critical organizational resources and data. An unexpected or unauthorized role assignment could indicate potential malicious activity, insider threats, or misconfigurations. If an attacker or unauthorized individual is granted one of these roles, the potential impact includes gaining significant control over O365 resources, accessing, modifying, or deleting critical data, making configuration changes, and potentially compromising the overall security and functionality of the O365 environment. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic detects when high-privilege roles, specifically "Exchange Administrator", "SharePoint Administrator", or "Global Administrator", are granted within Office 365. By monitoring O365 audit logs for events where these administrative roles are assigned to any user or service account, the analytic provides insight into critical role changes. The assignment of these roles is of paramount importance to Security Operations Centers (SOCs) as they grant extensive permissions, allowing for broad access and control over critical organizational resources and data. An unexpected or unauthorized role assignment could indicate potential malicious activity, insider threats, or misconfigurations. If an attacker or unauthorized individual is granted one of these roles, the potential impact includes gaining significant control over O365 resources, accessing, modifying, or deleting critical data, making configuration changes, and potentially compromising the overall security and functionality of the O365 environment. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. @@ -12192,7 +12548,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] action.risk = 1 action.risk.param._risk_message = $user$ granted high privilege roles to $ObjectId$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -12200,7 +12556,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 High Privilege Role Granted - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -12223,7 +12579,7 @@ search = `o365_management_activity` Operation="Add member to role." Workload=Azu action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies instances where a user grants consent to an application that requests mail related permissions within the Office 365 environment. This could involve permissions to read, send, or manage mail settings. It leverages the O365 audit logs, specifically events related to application permissions and user consent actions. By filtering for mail-related permissions and user-granted consents, the analytic pinpoints potential security concerns. While many legitimate applications request mail permissions for valid reasons, malicious actors can exploit these permissions for data exfiltration, spear phishing, or other malicious activities. By monitoring for user-granted mail permissions, security teams can identify and review potentially risky consents, ensuring that only trusted applications have access to sensitive email data. If the detection is a true positive, it indicates that an application now has access to the users mail data as permitted. In the hands of a malicious actor, this could lead to unauthorized data access, email forwarding, or even the sending of malicious emails from the compromised account. Its crucial to validate the legitimacy of the application and the context of the consent to prevent potential data breaches or further malicious activities. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies instances where a user grants consent to an application that requests mail related permissions within the Office 365 environment. This could involve permissions to read, send, or manage mail settings. It leverages the O365 audit logs, specifically events related to application permissions and user consent actions. By filtering for mail-related permissions and user-granted consents, the analytic pinpoints potential security concerns. While many legitimate applications request mail permissions for valid reasons, malicious actors can exploit these permissions for data exfiltration, spear phishing, or other malicious activities. By monitoring for user-granted mail permissions, security teams can identify and review potentially risky consents, ensuring that only trusted applications have access to sensitive email data. If the detection is a true positive, it indicates that an application now has access to the users mail data as permitted. In the hands of a malicious actor, this could lead to unauthorized data access, email forwarding, or even the sending of malicious emails from the compromised account. Its crucial to validate the legitimacy of the application and the context of the consent to prevent potential data breaches or further malicious activities. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. @@ -12246,7 +12602,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Mail Permissioned Application Consent Granted by User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "mitre_attack": ["T1528"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -12269,7 +12625,7 @@ search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Con action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies instances where the inbox folder of a mailbox in Office 365 is shared with all users within the tenant. Sharing the inbox folder with all users is an unusual and risky configuration. Attackers have been known to exploit this setting to surreptitiously read a target user's emails from another account. Such unauthorized access can lead to data breaches, leakage of confidential information, or further compromise based on the information gathered from the emails. Monitoring for this configuration change ensures that inadvertent or malicious sharing is promptly identified and addressed. If an attacker successfully configures the inbox to be shared with all users, they can access and read all emails in the affected mailbox from any account within the tenant. This can lead to data exfiltration, spear-phishing attacks based on the information in the emails, or further malicious activities using sensitive information gathered from the mailbox. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies instances where the inbox folder of a mailbox in Office 365 is shared with all users within the tenant. Sharing the inbox folder with all users is an unusual and risky configuration. Attackers have been known to exploit this setting to surreptitiously read a target user's emails from another account. Such unauthorized access can lead to data breaches, leakage of confidential information, or further compromise based on the information gathered from the emails. Monitoring for this configuration change ensures that inadvertent or malicious sharing is promptly identified and addressed. If an attacker successfully configures the inbox to be shared with all users, they can access and read all emails in the affected mailbox from any account within the tenant. This can lead to data exfiltration, spear-phishing attacks based on the information in the emails, or further malicious activities using sensitive information gathered from the mailbox. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. @@ -12281,7 +12637,7 @@ action.escu.full_search_name = ESCU - O365 Mailbox Inbox Folder Shared with All action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] +action.escu.analytic_story = ["Office 365 Collection Techniques"] action.risk = 1 action.risk.param._risk_message = Inbox folder for the $MailboxOwnerUPN$ mailbox was shared with all users. action.risk.param._risk = [{"risk_object_field": "MailboxOwnerUPN", "risk_object_type": "user", "risk_score": 56}] @@ -12292,7 +12648,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Mailbox Inbox Folder Shared with All Users - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -12315,7 +12671,7 @@ search = `o365_management_activity` Operation=ModifyFolderPermissions Workload= action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies instances where the Mail.Read Graph API permissions are granted to an application registration within an Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in application permissions within the AzureActiveDirectory workload. The Mail.Read permission allows applications to access and read all emails within a user's mailbox. Emails often contain sensitive or confidential information, and unauthorized access can lead to data breaches or leakage. Monitoring the assignment of this permission ensures that only legitimate applications have such access and that any inadvertent or malicious assignments are promptly identified. If an attacker successfully grants this permission to a malicious or compromised application, they can read all emails in the affected mailboxes. This can lead to data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1114.002", "T1114", "T1098", "T1098.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1114.002", "T1114", "T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies instances where the Mail.Read Graph API permissions are granted to an application registration within an Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in application permissions within the AzureActiveDirectory workload. The Mail.Read permission allows applications to access and read all emails within a user's mailbox. Emails often contain sensitive or confidential information, and unauthorized access can lead to data breaches or leakage. Monitoring the assignment of this permission ensures that only legitimate applications have such access and that any inadvertent or malicious assignments are promptly identified. If an attacker successfully grants this permission to a malicious or compromised application, they can read all emails in the affected mailboxes. This can lead to data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. @@ -12327,10 +12683,10 @@ action.escu.full_search_name = ESCU - O365 Mailbox Read Access Granted to Applic action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] +action.escu.analytic_story = ["Office 365 Collection Techniques"] action.risk = 1 action.risk.param._risk_message = Application registration $object$ was grandes mailbox read access by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -12338,7 +12694,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Mailbox Read Access Granted to Application - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "mitre_attack": ["T1114.002", "T1114", "T1098", "T1098.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1114.002", "T1114", "T1098", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -12361,7 +12717,7 @@ search = `o365_management_activity` Operation="Update application." | eval json_ action.escu = 0 action.escu.enabled = 1 description = This analytic detects potential distributed password spraying attacks within an Office 365 environment. It identifies a significant increase in failed authentication attempts characterized by diverse user-and-IP address combinations, originating from multiple source IP addresses, and utilizing various user agents. These patterns may indicate an adversary's attempt to circumvent security controls by employing a spectrum of IP addresses to test commonly used passwords against a wide range of user accounts. The detection examines UserLoginFailed events from O365 Management Activity logs, with a particular focus on events with ErrorNumber 50126, which indicates a failed authentication due to incorrect credentials. By aggregating data over a five-minute interval, the analytic calculates the distinct counts of user-and-IP combinations and unique users and source IPs. It then applies a set of thresholds to these metrics to identify abnormal activities that could suggest a coordinated attack. The predefined thresholds within the analytic (such as unique IPs, unique users, etc.) serve as initial benchmarks and should be tailored to align with the organization's typical user behavior and risk tolerance. Early detection of such distributed activities is crucial for security operations centers (SOCs) to intercept unauthorized access attempts, avert account takeovers, and reduce the risk of subsequent malevolent actions within the organization's systems. A true positive alert from this analytic would indicate an ongoing distributed password spraying campaign targeting the organization's Office 365 tenant. If such an attack is successful, it could lead to unauthorized access, especially to accounts with administrative privileges, resulting in data breaches, privilege escalation, persistent threats, and lateral movement within the organization's digital environment. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic detects potential distributed password spraying attacks within an Office 365 environment. It identifies a significant increase in failed authentication attempts characterized by diverse user-and-IP address combinations, originating from multiple source IP addresses, and utilizing various user agents. These patterns may indicate an adversary's attempt to circumvent security controls by employing a spectrum of IP addresses to test commonly used passwords against a wide range of user accounts. The detection examines UserLoginFailed events from O365 Management Activity logs, with a particular focus on events with ErrorNumber 50126, which indicates a failed authentication due to incorrect credentials. By aggregating data over a five-minute interval, the analytic calculates the distinct counts of user-and-IP combinations and unique users and source IPs. It then applies a set of thresholds to these metrics to identify abnormal activities that could suggest a coordinated attack. The predefined thresholds within the analytic (such as unique IPs, unique users, etc.) serve as initial benchmarks and should be tailored to align with the organization's typical user behavior and risk tolerance. Early detection of such distributed activities is crucial for security operations centers (SOCs) to intercept unauthorized access attempts, avert account takeovers, and reduce the risk of subsequent malevolent actions within the organization's systems. A true positive alert from this analytic would indicate an ongoing distributed password spraying campaign targeting the organization's Office 365 tenant. If such an attack is successful, it could lead to unauthorized access, especially to accounts with administrative privileges, resulting in data breaches, privilege escalation, persistent threats, and lateral movement within the organization's digital environment. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The thresholds set within the analytic (such as unique IPs, unique users, etc.) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. @@ -12373,13 +12729,13 @@ action.escu.full_search_name = ESCU - O365 Multi-Source Failed Authentications S action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Office 365 Account Takeover"] +action.escu.analytic_story = ["Office 365 Account Takeover", "NOBELIUM Group"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Multi-Source Failed Authentications Spike - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -12396,7 +12752,7 @@ search = `o365_management_activity` Workload=AzureActiveDirectory Operation=Use action.escu = 0 action.escu.enabled = 1 description = This analytic is crafted to identify unusual and potentially malicious authentication activity within an O365 environment. It triggers when a single user account is involved in more than 8 authentication attempts, using 3 or more unique application IDs and more than 5 unique user agents within a short timeframe. This pattern is atypical for regular user behavior and may indicate an adversary's attempt to probe the environment, testing for multi-factor authentication requirements across different applications and platforms. The detection is based on analysis of O365 audit logs, specifically focusing on authentication events. It employs statistical thresholds to highlight instances where the volume of authentication attempts and the diversity of application IDs and user agents associated with a single user account exceed normal parameters. Identifying this behavior is crucial as it provides an early indication of potential account compromise. Adversaries, once in possession of user credentials, often conduct reconnaissance to understand the security controls in place, including multi-factor authentication configurations. Tools like Invoke-MFASweep are commonly used for this purpose, automating the process of testing different user agents and application IDs to bypass MFA. By detecting these initial probing attempts, security teams can swiftly respond, potentially stopping an attack in its early stages and preventing further unauthorized access. This proactive stance is vital for maintaining the integrity of the organization's security posture. If validated as a true positive, this detection points to a compromised account, signaling that an attacker is actively attempting to navigate security controls to maintain access and potentially escalate privileges. This could lead to further exploitation, lateral movement within the network, and eventual data exfiltration. Recognizing and responding to this early stage of an attack is vital for preventing substantial harm and safeguarding sensitive organizational data and systems. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic is crafted to identify unusual and potentially malicious authentication activity within an O365 environment. It triggers when a single user account is involved in more than 8 authentication attempts, using 3 or more unique application IDs and more than 5 unique user agents within a short timeframe. This pattern is atypical for regular user behavior and may indicate an adversary's attempt to probe the environment, testing for multi-factor authentication requirements across different applications and platforms. The detection is based on analysis of O365 audit logs, specifically focusing on authentication events. It employs statistical thresholds to highlight instances where the volume of authentication attempts and the diversity of application IDs and user agents associated with a single user account exceed normal parameters. Identifying this behavior is crucial as it provides an early indication of potential account compromise. Adversaries, once in possession of user credentials, often conduct reconnaissance to understand the security controls in place, including multi-factor authentication configurations. Tools like Invoke-MFASweep are commonly used for this purpose, automating the process of testing different user agents and application IDs to bypass MFA. By detecting these initial probing attempts, security teams can swiftly respond, potentially stopping an attack in its early stages and preventing further unauthorized access. This proactive stance is vital for maintaining the integrity of the organization's security posture. If validated as a true positive, this detection points to a compromised account, signaling that an attacker is actively attempting to navigate security controls to maintain access and potentially escalate privileges. This could lead to further exploitation, lateral movement within the network, and eventual data exfiltration. Recognizing and responding to this early stage of an attack is vital for preventing substantial harm and safeguarding sensitive organizational data and systems. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. @@ -12411,7 +12767,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Office 365 Account Takeover"] action.risk = 1 action.risk.param._risk_message = $user$ authenticated in a short period of time with more than 5 different user agents across 3 or more unique application ids. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 48}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -12419,7 +12775,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Multiple AppIDs and UserAgents Authentication Spike - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -12436,7 +12792,7 @@ search = `o365_management_activity` Workload=AzureActiveDirectory (Operation=Us action.escu = 0 action.escu.enabled = 1 description = This analytic identifies potential "MFA fatigue" attacks targeting Office 365 users. Specifically, it detects scenarios where a user experiences more than nine Multi-Factor Authentication (MFA) prompts within a 10-minute timeframe. Attackers may exploit MFA fatigue by repeatedly triggering MFA requests, hoping that the user, out of frustration or oversight, will approve a malicious authentication attempt. The detection leverages O365 management activity logs, focusing on Azure Active Directory events. It looks for the UserLoginFailed operation combined with a Success ResultStatus and an ErrorNumber of 500121, which indicates MFA prompts. By monitoring these specific events and conditions, the analytic captures and alerts on potential MFA fatigue scenarios. With MFA being a cornerstone of modern cybersecurity defenses, attackers are constantly seeking ways to bypass or exploit it. MFA fatigue is one such tactic, where attackers rely on user frustration or confusion caused by frequent MFA prompts. Detecting potential MFA fatigue scenarios allows security teams to proactively investigate and ensure that users aren't inadvertently granting access to malicious actors. If this detection flags a true positive, it suggests a potential attempt by an attacker to exploit MFA mechanisms to gain unauthorized access to an O365 account. Successful exploitation could lead to data breaches, unauthorized data access, or further compromise within the O365 environment. Immediate investigation and response would be crucial to safeguard the affected account and assess the full scope of the potential breach. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies potential "MFA fatigue" attacks targeting Office 365 users. Specifically, it detects scenarios where a user experiences more than nine Multi-Factor Authentication (MFA) prompts within a 10-minute timeframe. Attackers may exploit MFA fatigue by repeatedly triggering MFA requests, hoping that the user, out of frustration or oversight, will approve a malicious authentication attempt. The detection leverages O365 management activity logs, focusing on Azure Active Directory events. It looks for the UserLoginFailed operation combined with a Success ResultStatus and an ErrorNumber of 500121, which indicates MFA prompts. By monitoring these specific events and conditions, the analytic captures and alerts on potential MFA fatigue scenarios. With MFA being a cornerstone of modern cybersecurity defenses, attackers are constantly seeking ways to bypass or exploit it. MFA fatigue is one such tactic, where attackers rely on user frustration or confusion caused by frequent MFA prompts. Detecting potential MFA fatigue scenarios allows security teams to proactively investigate and ensure that users aren't inadvertently granting access to malicious actors. If this detection flags a true positive, it suggests a potential attempt by an attacker to exploit MFA mechanisms to gain unauthorized access to an O365 account. Successful exploitation could lead to data breaches, unauthorized data access, or further compromise within the O365 environment. Immediate investigation and response would be crucial to safeguard the affected account and assess the full scope of the potential breach. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. @@ -12459,7 +12815,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Multiple Failed MFA Requests For User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "mitre_attack": ["T1621"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1621"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -12478,11 +12834,137 @@ realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed ResultStatus=Success ErrorNumber=500121 | bucket span=10m _time | stats dc(_raw) as mfa_prompts values(LogonError) as LogonError values(signature) as signature by user, _time | where mfa_prompts > 9 | `o365_multiple_failed_mfa_requests_for_user_filter` +[ESCU - O365 Multiple Mailboxes Accessed via API - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = The following analytic is designed to trigger when a high number of Office 365 Exchange mailboxes are accessed via API (Microsoft Graph API or Exchange Web Services) in a short time, hinting at possible unauthorized mass email access. It tracks 'MailItemsAccessed' operations in Exchange, using AppId and regex to identify API interactions. Crucial for SOC teams, this analytic focuses on spotting abnormal access patterns, often signaling data exfiltration or account compromise. Security teams should tailor the threshold set here to flag over five unique mailboxes accessed within 10 minutes to align with their environment's norms, ensuring effective detection of potential security incidents while maintaining operational efficiency. +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"]} +action.escu.data_models = ["Web"] +action.escu.eli5 = The following analytic is designed to trigger when a high number of Office 365 Exchange mailboxes are accessed via API (Microsoft Graph API or Exchange Web Services) in a short time, hinting at possible unauthorized mass email access. It tracks 'MailItemsAccessed' operations in Exchange, using AppId and regex to identify API interactions. Crucial for SOC teams, this analytic focuses on spotting abnormal access patterns, often signaling data exfiltration or account compromise. Security teams should tailor the threshold set here to flag over five unique mailboxes accessed within 10 minutes to align with their environment's norms, ensuring effective detection of potential security incidents while maintaining operational efficiency. +action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +action.escu.known_false_positives = Legitimate applications may access multiple mailboxes via an API. You can filter by the ClientAppId or the CLientIpAddress fields. +action.escu.creation_date = 2024-02-01 +action.escu.modification_date = 2024-02-01 +action.escu.confidence = high +action.escu.full_search_name = ESCU - O365 Multiple Mailboxes Accessed via API - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["Office 365 Collection Techniques", "NOBELIUM Group"] +action.risk = 1 +action.risk.param._risk_message = An Oauth application identified with id $ClientAppId$ accessed multiple mailboxes in a short period of time via an API. +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - O365 Multiple Mailboxes Accessed via API - Rule +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"]} +schedule_window = auto +action.notable = 1 +action.notable.param.nes_fields = user,dest +action.notable.param.rule_description = The following analytic is designed to trigger when a high number of Office 365 Exchange mailboxes are accessed via API (Microsoft Graph API or Exchange Web Services) in a short time, hinting at possible unauthorized mass email access. It tracks 'MailItemsAccessed' operations in Exchange, using AppId and regex to identify API interactions. Crucial for SOC teams, this analytic focuses on spotting abnormal access patterns, often signaling data exfiltration or account compromise. Security teams should tailor the threshold set here to flag over five unique mailboxes accessed within 10 minutes to align with their environment's norms, ensuring effective detection of potential security incidents while maintaining operational efficiency. +action.notable.param.rule_title = O365 Multiple Mailboxes Accessed via API +action.notable.param.security_domain = threat +action.notable.param.severity = high +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* ClientAppId=* | bucket span=10m _time | eval matchRegex=if(match(ClientInfoString, "^Client=WebServices;ExchangeWebServices"), 1, 0) | search (AppId="00000003-0000-0000-c000-000000000000" OR matchRegex=1) | stats values(ClientIPAddress) as src_ip dc(user) as unique_mailboxes values(user) as user by _time ClientAppId ClientInfoString | where unique_mailboxes > 5 | `o365_multiple_mailboxes_accessed_via_api_filter` + +[ESCU - O365 Multiple Service Principals Created by SP - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = This detection aims to identify instances where a single service principal creates more than three unique OAuth applications within a 10-minute timeframe, using O365 logs from the Unified Audit Log. The focus is on tracking the 'Add service principal' operation within the Office 365 Azure Active Directory environment. The query effectively buckets events in 10-minute intervals, specifically scrutinizing the actions of service principals. By quantifying the number of distinct OAuth applications each service principal establishes, the analytic provides critical insights for SOC teams into potentially anomalous or malicious activities. These activities could include a compromised or malicious service principal being used to create multiple service principals, which might be indicative of an attempt to expand control or access within the network. Security teams are advised to adapt the threshold of three applications to align with their typical operational baseline +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} +action.escu.data_models = [] +action.escu.eli5 = This detection aims to identify instances where a single service principal creates more than three unique OAuth applications within a 10-minute timeframe, using O365 logs from the Unified Audit Log. The focus is on tracking the 'Add service principal' operation within the Office 365 Azure Active Directory environment. The query effectively buckets events in 10-minute intervals, specifically scrutinizing the actions of service principals. By quantifying the number of distinct OAuth applications each service principal establishes, the analytic provides critical insights for SOC teams into potentially anomalous or malicious activities. These activities could include a compromised or malicious service principal being used to create multiple service principals, which might be indicative of an attempt to expand control or access within the network. Security teams are advised to adapt the threshold of three applications to align with their typical operational baseline +action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +action.escu.known_false_positives = Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. +action.escu.creation_date = 2024-02-07 +action.escu.modification_date = 2024-02-07 +action.escu.confidence = high +action.escu.full_search_name = ESCU - O365 Multiple Service Principals Created by SP - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "NOBELIUM Group"] +action.risk = 1 +action.risk.param._risk_message = Multiple OAuth applications were created by $src_user$ in a short period of time +action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "other", "risk_score": 42}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - O365 Multiple Service Principals Created by SP - Rule +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} +schedule_window = auto +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Add service principal." | bucket span=10m _time | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | search userType = "ServicePrincipal" | eval displayName = object | stats count earliest(_time) as firstTime latest(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_multiple_service_principals_created_by_sp_filter` + +[ESCU - O365 Multiple Service Principals Created by User - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = This detection is tailored to spot occurrences where a single user, rather than a service principal, creates more than three unique OAuth applications within a 10-minute window in the Office 365 environment. Utilizing O365 logs from the Unified Audit Log, it focuses on the 'Add service principal' operation in Azure Active Directory. The query segments events into 10-minute intervals, exclusively monitoring user activities. It calculates the number of distinct OAuth applications initiated by each user, providing SOC teams with essential data for identifying potential security threats. Such activity could suggest that a user account is either compromised or engaged in unauthorized activities, potentially setting the stage for broader network infiltration or privilege escalation. It's important for security teams to adjust the threshold of three applications to fit their operational context. +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} +action.escu.data_models = [] +action.escu.eli5 = This detection is tailored to spot occurrences where a single user, rather than a service principal, creates more than three unique OAuth applications within a 10-minute window in the Office 365 environment. Utilizing O365 logs from the Unified Audit Log, it focuses on the 'Add service principal' operation in Azure Active Directory. The query segments events into 10-minute intervals, exclusively monitoring user activities. It calculates the number of distinct OAuth applications initiated by each user, providing SOC teams with essential data for identifying potential security threats. Such activity could suggest that a user account is either compromised or engaged in unauthorized activities, potentially setting the stage for broader network infiltration or privilege escalation. It's important for security teams to adjust the threshold of three applications to fit their operational context. +action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +action.escu.known_false_positives = Certain users or applications may create multiple service principals in a short period of time for legitimate purposes. Filter as needed. +action.escu.creation_date = 2024-02-07 +action.escu.modification_date = 2024-02-07 +action.escu.confidence = high +action.escu.full_search_name = ESCU - O365 Multiple Service Principals Created by User - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "NOBELIUM Group"] +action.risk = 1 +action.risk.param._risk_message = Multiple OAuth applications were created by $src_user$ in a short period of time +action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "other", "risk_score": 42}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - O365 Multiple Service Principals Created by User - Rule +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003"], "nist": ["DE.AE"]} +schedule_window = auto +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Add service principal." | bucket span=10m _time | eval len=mvcount('Actor{}.ID') | eval userType = mvindex('Actor{}.ID',len-1) | search userType = "User" | eval displayName = object | stats count earliest(_time) as firstTime latest(_time) as lastTime values(displayName) as displayName dc(displayName) as unique_apps by src_user | where unique_apps > 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_multiple_service_principals_created_by_user_filter` + [ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies instances where multiple users (more than 10 unique accounts) have failed to authenticate from a single IP address within a short time span (5 minutes). Such a pattern can be indicative of malicious activities, such as brute-force attacks or password spraying attempts. The detection leverages O365 audit logs, specifically focusing on Azure Active Directory login failures (AzureActiveDirectoryStsLogon). By aggregating these failures based on the source IP address and time, the analytic captures patterns where multiple unique user accounts have authentication failures from the same IP within a 5-minute window. Multiple authentication failures from a single IP address targeting various accounts can be a strong indicator of an attacker trying to gain unauthorized access. It could represent a brute-force attack, password spraying, or other malicious login attempts. Identifying and responding to such patterns promptly is crucial to prevent potential account compromises and unauthorized access to organizational resources. If the detection is a true positive, it suggests that an external entity is actively trying to breach the security by targeting multiple user accounts. While the attempts have been unsuccessful (as indicated by the login failures), it's a clear sign of malicious intent. Immediate action is required to block or monitor the suspicious IP, investigate the nature of the attempts, and potentially notify affected users to take precautionary measures like password changes or enabling multi-factor authentication. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies instances where multiple users (more than 10 unique accounts) have failed to authenticate from a single IP address within a short time span (5 minutes). Such a pattern can be indicative of malicious activities, such as brute-force attacks or password spraying attempts. The detection leverages O365 audit logs, specifically focusing on Azure Active Directory login failures (AzureActiveDirectoryStsLogon). By aggregating these failures based on the source IP address and time, the analytic captures patterns where multiple unique user accounts have authentication failures from the same IP within a 5-minute window. Multiple authentication failures from a single IP address targeting various accounts can be a strong indicator of an attacker trying to gain unauthorized access. It could represent a brute-force attack, password spraying, or other malicious login attempts. Identifying and responding to such patterns promptly is crucial to prevent potential account compromises and unauthorized access to organizational resources. If the detection is a true positive, it suggests that an external entity is actively trying to breach the security by targeting multiple user accounts. While the attempts have been unsuccessful (as indicated by the login failures), it's a clear sign of malicious intent. Immediate action is required to block or monitor the suspicious IP, investigate the nature of the attempts, and potentially notify affected users to take precautionary measures like password changes or enabling multi-factor authentication. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. @@ -12494,10 +12976,10 @@ action.escu.full_search_name = ESCU - O365 Multiple Users Failing To Authenticat action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Office 365 Account Takeover"] +action.escu.analytic_story = ["Office 365 Account Takeover", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = Source Ip $src_ip$ failed to authenticate with 20 users within 5 minutes. -action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 63}] +action.risk.param._risk = [{"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 63}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -12505,7 +12987,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "mitre_attack": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -12528,7 +13010,7 @@ search = `o365_management_activity` Workload=AzureActiveDirectory Operation=Use action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the addition of a new federated domain in an organization's Office 365 environment. This behavior is detected by analyzing the Office 365 management activity logs using the Splunk query o365_management_activity, specifically filtering for the Workload=Exchange and Operation="Add-FederatedDomain" parameters. The addition of a new federated domain can be a significant security concern, as it might indicate unauthorized changes or potential compromises within the Office 365 setup. Attackers, upon gaining sufficient privileges, could add a federated domain to establish a backdoor, bypass security measures, or exfiltrate data. Such unauthorized changes can lead to data breaches, unauthorized access to sensitive data, and potential compromise of organizational infrastructure. When this analytic is triggered, immediate steps should include reviewing the details of the added federated domain, such as the organization name, originating server, user ID, and user key. Concurrent processes or other indicators of compromise should also be investigated to pinpoint the source of the potential breach. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the addition of a new federated domain in an organization's Office 365 environment. This behavior is detected by analyzing the Office 365 management activity logs using the Splunk query o365_management_activity, specifically filtering for the Workload=Exchange and Operation="Add-FederatedDomain" parameters. The addition of a new federated domain can be a significant security concern, as it might indicate unauthorized changes or potential compromises within the Office 365 setup. Attackers, upon gaining sufficient privileges, could add a federated domain to establish a backdoor, bypass security measures, or exfiltrate data. Such unauthorized changes can lead to data breaches, unauthorized access to sensitive data, and potential compromise of organizational infrastructure. When this analytic is triggered, immediate steps should include reviewing the details of the added federated domain, such as the organization name, originating server, user ID, and user key. Concurrent processes or other indicators of compromise should also be investigated to pinpoint the source of the potential breach. action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity. @@ -12551,7 +13033,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 New Federated Domain Added - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "Cloud Federated Credential Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "Cloud Federated Credential Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -12574,7 +13056,7 @@ search = `o365_management_activity` Operation IN ("*add*", "*new*") AND Operatio action.escu = 0 action.escu.enabled = 1 description = This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Office 365 by monitoring O365 audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Office 365 by monitoring O365 audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. @@ -12597,7 +13079,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 New MFA Method Registered - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -12616,11 +13098,149 @@ realtime_schedule = 0 is_visible = false search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Update user." | eval propertyName = mvindex('ModifiedProperties{}.Name', 0) | search propertyName = StrongAuthenticationMethod | eval oldvalue = mvindex('ModifiedProperties{}.OldValue',0) | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | rex field=newvalue max_match=0 "(?i)(?\"MethodType\")" | rex field=oldvalue max_match=0 "(?i)(?\"MethodType\")" | eval count_new_method_type = coalesce(mvcount(new_method_type), 0) | eval count_old_method_type = coalesce(mvcount(old_method_type), 0) | where count_new_method_type > count_old_method_type | stats earliest(_time) as firstTime latest(_time) as lastTime values(propertyName) by user newvalue oldvalue | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_mfa_method_registered_filter` +[ESCU - O365 OAuth App Mailbox Access via EWS - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = The following analytic detects when emails are accessed in Office 365 Exchange via Exchange Web Services (EWS), as indicated by the ClientInfoString field starting with "Client=WebServices;ExchangeWebServices". It monitors mailbox activities, focusing on OAuth-authenticated applications that interact with EWS. The query aggregates key metrics such as access counts, timing, and client IP addresses, categorized by user, ClientAppId, OperationCount, and AppId. For defenders, it is critical to keep track of OAuth applications using EWS to access emails, as this information is instrumental in identifying and preventing potential abuse or unauthorized data access. +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"]} +action.escu.data_models = ["Web"] +action.escu.eli5 = The following analytic detects when emails are accessed in Office 365 Exchange via Exchange Web Services (EWS), as indicated by the ClientInfoString field starting with "Client=WebServices;ExchangeWebServices". It monitors mailbox activities, focusing on OAuth-authenticated applications that interact with EWS. The query aggregates key metrics such as access counts, timing, and client IP addresses, categorized by user, ClientAppId, OperationCount, and AppId. For defenders, it is critical to keep track of OAuth applications using EWS to access emails, as this information is instrumental in identifying and preventing potential abuse or unauthorized data access. +action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +action.escu.known_false_positives = OAuth applications may access mailboxes for legitimate purposes, you can use the src_ip to add trusted sources to an allow list. +action.escu.creation_date = 2024-01-31 +action.escu.modification_date = 2024-01-31 +action.escu.confidence = high +action.escu.full_search_name = ESCU - O365 OAuth App Mailbox Access via EWS - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["Office 365 Collection Techniques", "NOBELIUM Group"] +action.risk = 1 +action.risk.param._risk_message = An OAuth application identified with id $ClientAppId$ accesed mailboxes through the Graph API. +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - O365 OAuth App Mailbox Access via EWS - Rule +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"]} +schedule_window = auto +action.notable = 1 +action.notable.param.nes_fields = user,dest +action.notable.param.rule_description = The following analytic detects when emails are accessed in Office 365 Exchange via Exchange Web Services (EWS), as indicated by the ClientInfoString field starting with "Client=WebServices;ExchangeWebServices". It monitors mailbox activities, focusing on OAuth-authenticated applications that interact with EWS. The query aggregates key metrics such as access counts, timing, and client IP addresses, categorized by user, ClientAppId, OperationCount, and AppId. For defenders, it is critical to keep track of OAuth applications using EWS to access emails, as this information is instrumental in identifying and preventing potential abuse or unauthorized data access. +action.notable.param.rule_title = O365 OAuth App Mailbox Access via EWS +action.notable.param.security_domain = threat +action.notable.param.severity = high +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* ClientAppId=* | regex ClientInfoString="^Client=WebServices;ExchangeWebServices" | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) as src_ip by user ClientAppId OperationCount AppId ClientInfoString | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_oauth_app_mailbox_access_via_ews_filter` + +[ESCU - O365 OAuth App Mailbox Access via Graph API - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = This Splunk analytic detects when emails are accessed in Office 365 Exchange via the Microsoft Graph API, identified by the client ID '00000003-0000-0000-c000-000000000000'. It tracks the 'MailItemsAccessed' operation within the Exchange workload, focusing on OAuth-authenticated applications. The query compiles statistics on access frequency, timing, and client IP addresses, organized by user, client application ID, and AppId. For defenders, it's crucial to maintain an inventory of all OAuth applications that read emails, using this data to scrutinize and identify any potential abusive access patterns. +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"]} +action.escu.data_models = [] +action.escu.eli5 = This Splunk analytic detects when emails are accessed in Office 365 Exchange via the Microsoft Graph API, identified by the client ID '00000003-0000-0000-c000-000000000000'. It tracks the 'MailItemsAccessed' operation within the Exchange workload, focusing on OAuth-authenticated applications. The query compiles statistics on access frequency, timing, and client IP addresses, organized by user, client application ID, and AppId. For defenders, it's crucial to maintain an inventory of all OAuth applications that read emails, using this data to scrutinize and identify any potential abusive access patterns. +action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +action.escu.known_false_positives = OAuth applications may access mailboxes for legitimate purposes, you can use the ClientAppId to add trusted applications to an allow list. +action.escu.creation_date = 2024-01-31 +action.escu.modification_date = 2024-01-31 +action.escu.confidence = high +action.escu.full_search_name = ESCU - O365 OAuth App Mailbox Access via Graph API - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["Office 365 Collection Techniques", "NOBELIUM Group"] +action.risk = 1 +action.risk.param._risk_message = An OAuth application identified with id $ClientAppId$ accesed mailboxes through the Graph API. +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 42}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - O365 OAuth App Mailbox Access via Graph API - Rule +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.002"], "nist": ["DE.CM"]} +schedule_window = auto +action.notable = 1 +action.notable.param.nes_fields = user,dest +action.notable.param.rule_description = This Splunk analytic detects when emails are accessed in Office 365 Exchange via the Microsoft Graph API, identified by the client ID '00000003-0000-0000-c000-000000000000'. It tracks the 'MailItemsAccessed' operation within the Exchange workload, focusing on OAuth-authenticated applications. The query compiles statistics on access frequency, timing, and client IP addresses, organized by user, client application ID, and AppId. For defenders, it's crucial to maintain an inventory of all OAuth applications that read emails, using this data to scrutinize and identify any potential abusive access patterns. +action.notable.param.rule_title = O365 OAuth App Mailbox Access via Graph API +action.notable.param.security_domain = threat +action.notable.param.severity = high +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = `o365_management_activity` Workload=Exchange Operation=MailItemsAccessed AppId=* AppId=00000003-0000-0000-c000-000000000000 | stats count earliest(_time) as firstTime latest(_time) as lastTime values(ClientIPAddress) by user ClientAppId OperationCount AppId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_oauth_app_mailbox_access_via_graph_api_filter` + +[ESCU - O365 Privileged Graph API Permission Assigned - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = This Splunk analytic detects the assignment of critical Graph API permissions in Azure AD using O365 Unified Audit Log as its data source. It focuses on three permissions, Application.ReadWrite.All (Entitlement ID 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions, crucial for controlling Azure AD settings, pose a high risk if misused. The query monitors Azure Active Directory workload events in the Office 365 Management Activity, specifically 'Update application' operations. It extracts and analyzes data to spot when these permissions are granted, gathering details about the user, object, and user agent involved. Due to the significant control these permissions provide, immediate investigation is crucial upon detection to prevent unauthorized modifications. +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} +action.escu.data_models = [] +action.escu.eli5 = This Splunk analytic detects the assignment of critical Graph API permissions in Azure AD using O365 Unified Audit Log as its data source. It focuses on three permissions, Application.ReadWrite.All (Entitlement ID 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions, crucial for controlling Azure AD settings, pose a high risk if misused. The query monitors Azure Active Directory workload events in the Office 365 Management Activity, specifically 'Update application' operations. It extracts and analyzes data to spot when these permissions are granted, gathering details about the user, object, and user agent involved. Due to the significant control these permissions provide, immediate investigation is crucial upon detection to prevent unauthorized modifications. +action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +action.escu.known_false_positives = Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed. +action.escu.creation_date = 2024-01-30 +action.escu.modification_date = 2024-01-30 +action.escu.confidence = high +action.escu.full_search_name = ESCU - O365 Privileged Graph API Permission Assigned - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "NOBELIUM Group"] +action.risk = 1 +action.risk.param._risk_message = User $user$ assigned privileged Graph API permissions to $object$ +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 54}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - O365 Privileged Graph API Permission Assigned - Rule +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002"], "nist": ["DE.CM"]} +schedule_window = auto +action.notable = 1 +action.notable.param.nes_fields = user,dest +action.notable.param.rule_description = This Splunk analytic detects the assignment of critical Graph API permissions in Azure AD using O365 Unified Audit Log as its data source. It focuses on three permissions, Application.ReadWrite.All (Entitlement ID 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions, crucial for controlling Azure AD settings, pose a high risk if misused. The query monitors Azure Active Directory workload events in the Office 365 Management Activity, specifically 'Update application' operations. It extracts and analyzes data to spot when these permissions are granted, gathering details about the user, object, and user agent involved. Due to the significant control these permissions provide, immediate investigation is crucial upon detection to prevent unauthorized modifications. +action.notable.param.rule_title = O365 Privileged Graph API Permission Assigned +action.notable.param.security_domain = identity +action.notable.param.severity = high +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Update application." | eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) | spath input=newvalue | search "{}.RequiredAppPermissions{}.EntitlementId"="1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" OR "{}.RequiredAppPermissions{}.EntitlementId"="06b708a9-e830-4db3-a914-8e69da51d44f" OR "{}.RequiredAppPermissions{}.EntitlementId"="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_privileged_graph_api_permission_assigned_filter` + [ESCU - O365 PST export alert - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic detects instances where a user has initiated an eDiscovery search or exported a PST file from the search results in an Office 365 environment. The detection leverages the Office 365 management activity logs, specifically filtering for events categorized under ThreatManagement with the name eDiscovery search started or exported. The initiation of an eDiscovery search or the export of a PST file can be indicative of data exfiltration attempts or unauthorized access to sensitive information. PST files often contain a wealth of sensitive data, including the content of emails. Monitoring for such activities is crucial as they can expose sensitive organizational communications and data. If confirmed as a malicious activity, it suggests that an attacker or insider threat is attempting to gather or exfiltrate data. This can lead to data breaches, loss of intellectual property, or unauthorized access to confidential communications. Immediate investigation is required to determine the scope and intent of the activity and to take appropriate remedial actions. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1114"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic detects instances where a user has initiated an eDiscovery search or exported a PST file from the search results in an Office 365 environment. The detection leverages the Office 365 management activity logs, specifically filtering for events categorized under ThreatManagement with the name eDiscovery search started or exported. The initiation of an eDiscovery search or the export of a PST file can be indicative of data exfiltration attempts or unauthorized access to sensitive information. PST files often contain a wealth of sensitive data, including the content of emails. Monitoring for such activities is crucial as they can expose sensitive organizational communications and data. If confirmed as a malicious activity, it suggests that an attacker or insider threat is attempting to gather or exfiltrate data. This can lead to data breaches, loss of intellectual property, or unauthorized access to confidential communications. Immediate investigation is required to determine the scope and intent of the activity and to take appropriate remedial actions. action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity @@ -12635,7 +13255,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "Data Exfiltration"] action.risk = 1 action.risk.param._risk_message = User $Source$ has exported a PST file from the search using this operation- $Operation$ with a severity of $Severity$ -action.risk.param._risk = [{"risk_object_field": "Source", "risk_object_type": "user", "risk_score": 48}] +action.risk.param._risk = [{"risk_object_field": "Source", "risk_object_type": "other", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -12643,7 +13263,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 PST export alert - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "mitre_attack": ["T1114"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -12666,7 +13286,7 @@ search = `o365_management_activity` Category=ThreatManagement Name="eDiscovery s action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the addition of new credentials for Service Principals in addition to existing legitimate credentials within a Office 365 tenant. These credentials include both x509 certificates and passwords. It leverages O365 audit logs, specifically events related to credential modifications or additions within the AzureActiveDirectory workload for service principals. Service principals represent application identities in Office 365 / AzureAD, and their credentials allow applications to authenticate and access resources. Adding new credentials or modifying existing ones can be an indication of configuration changes, but it can also be a sign of malicious intent If an attacker successfully adds or modifies credentials for a service principal, they can potentially use those credentials to authenticate as the application, gaining access to resources and data the application is permitted to access. This can lead to unauthorized data access, data exfiltration, or malicious operations performed under the guise of the application -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the addition of new credentials for Service Principals in addition to existing legitimate credentials within a Office 365 tenant. These credentials include both x509 certificates and passwords. It leverages O365 audit logs, specifically events related to credential modifications or additions within the AzureActiveDirectory workload for service principals. Service principals represent application identities in Office 365 / AzureAD, and their credentials allow applications to authenticate and access resources. Adding new credentials or modifying existing ones can be an indication of configuration changes, but it can also be a sign of malicious intent If an attacker successfully adds or modifies credentials for a service principal, they can potentially use those credentials to authenticate as the application, gaining access to resources and data the application is permitted to access. This can lead to unauthorized data access, data exfiltration, or malicious operations performed under the guise of the application action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. @@ -12678,10 +13298,10 @@ action.escu.full_search_name = ESCU - O365 Service Principal New Client Credenti action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] +action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = New credentials added for Service Principal $object$ -action.risk.param._risk = [{"risk_object_field": "object", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] +action.risk.param._risk = [{"risk_object_field": "object", "risk_object_type": "user", "risk_score": 35}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -12689,7 +13309,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Service Principal New Client Credentials - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -12712,7 +13332,7 @@ search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Up action.escu = 0 action.escu.enabled = 1 description = This search detects when an admin configured a forwarding rule for multiple mailboxes to the same destination. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search detects when an admin configured a forwarding rule for multiple mailboxes to the same destination. action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity @@ -12724,10 +13344,10 @@ action.escu.full_search_name = ESCU - O365 Suspicious Admin Email Forwarding - R action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "Data Exfiltration"] +action.escu.analytic_story = ["Office 365 Collection Techniques", "Data Exfiltration"] action.risk = 1 action.risk.param._risk_message = User $user$ has configured a forwarding rule for multiple mailboxes to the same destination $ForwardingAddress$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -12735,7 +13355,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Suspicious Admin Email Forwarding - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -12752,7 +13372,7 @@ search = `o365_management_activity` Operation=Set-Mailbox | spath input=Paramete action.escu = 0 action.escu.enabled = 1 description = This analytic identifies instances where potentially suspicious rights are delegated within the Office 365 environment. Specifically, it detects when a user is granted FullAccess, SendAs, or SendOnBehalf permissions on another user's mailbox. Such permissions can allow a user to access, send emails from, or send emails on behalf of the target mailbox. The detection leverages O365 audit logs, focusing on the Add-MailboxPermission operation. By parsing the parameters of this operation, the analytic filters for events where FullAccess, SendAs, or SendOnBehalf rights are granted. It then aggregates this data to capture the source user (who was granted the permissions), the destination user (whose mailbox was affected), the specific operation, and the type of access rights granted. Delegating mailbox rights, especially those as powerful as FullAccess, can pose significant security risks. While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executive's mailbox, there are also malicious scenarios where an attacker or a compromised insider might grant themselves unauthorized access to sensitive mailboxes. Monitoring for these permissions changes is crucial to detect potential insider threats, compromised accounts, or other malicious activities.If the detection is a true positive, it indicates that a user has been granted potentially high-risk permissions on another user's mailbox. This could lead to unauthorized access to sensitive emails, impersonation through sending emails as or on behalf of the mailbox owner, or data manipulation by altering or deleting emails. Immediate investigation is required to validate the legitimacy of the permission change and to assess the potential risks associated with the granted access. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1114.002", "T1114", "T1098.002", "T1098"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1114.002", "T1114", "T1098.002", "T1098"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies instances where potentially suspicious rights are delegated within the Office 365 environment. Specifically, it detects when a user is granted FullAccess, SendAs, or SendOnBehalf permissions on another user's mailbox. Such permissions can allow a user to access, send emails from, or send emails on behalf of the target mailbox. The detection leverages O365 audit logs, focusing on the Add-MailboxPermission operation. By parsing the parameters of this operation, the analytic filters for events where FullAccess, SendAs, or SendOnBehalf rights are granted. It then aggregates this data to capture the source user (who was granted the permissions), the destination user (whose mailbox was affected), the specific operation, and the type of access rights granted. Delegating mailbox rights, especially those as powerful as FullAccess, can pose significant security risks. While there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executive's mailbox, there are also malicious scenarios where an attacker or a compromised insider might grant themselves unauthorized access to sensitive mailboxes. Monitoring for these permissions changes is crucial to detect potential insider threats, compromised accounts, or other malicious activities.If the detection is a true positive, it indicates that a user has been granted potentially high-risk permissions on another user's mailbox. This could lead to unauthorized access to sensitive emails, impersonation through sending emails as or on behalf of the mailbox owner, or data manipulation by altering or deleting emails. Immediate investigation is required to validate the legitimacy of the permission change and to assess the potential risks associated with the granted access. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. @@ -12764,10 +13384,10 @@ action.escu.full_search_name = ESCU - O365 Suspicious Rights Delegation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] +action.escu.analytic_story = ["Office 365 Collection Techniques"] action.risk = 1 action.risk.param._risk_message = User $user$ has delegated suspicious rights $AccessRights$ to user $dest_user$ that allow access to sensitive -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -12775,7 +13395,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Suspicious Rights Delegation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "mitre_attack": ["T1114.002", "T1114", "T1098.002", "T1098"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1114.002", "T1114", "T1098.002", "T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -12798,7 +13418,7 @@ search = `o365_management_activity` Operation=Add-MailboxPermission | spath inpu action.escu = 0 action.escu.enabled = 1 description = The following analytic detects when multiple users have configured a forwarding rule to the same destination to proactively identify and investigate potential security risks related to email forwarding and take appropriate actions to protect the organization's data and prevent unauthorized access or data breaches. This detection is made by a Splunk query to O365 management activity logs with the operation `Set-Mailbox` to gather information about mailbox configurations. Then, the query uses the `spath` function to extract the parameters and rename the "Identity" field as "src_user" and searches for entries where the "ForwardingSmtpAddress" field is not empty, which indicates the presence of a forwarding rule. Next, the analytic uses the `stats` command to group the results by the forwarding email address and count the number of unique source users (`src_user`). Finally, it filters the results and only retains entries where the count of source users (`count_src_user`) is greater than 1, which indicates that multiple users have set up forwarding rules to the same destination. This detection is important because it suggests that multiple users are forwarding emails to the same destination without proper authorization, which can lead to the exposure of sensitive information, loss of data control, or unauthorized access to confidential emails. Investigating and addressing this issue promptly can help prevent data breaches and mitigate potential damage.indicates a potential security risk since multiple users forwarding emails to the same destination can be a sign of unauthorized access, data exfiltration, or a compromised account. Additionally, it also helps to determine if the forwarding rules are legitimate or if they indicate a security incident. False positives can occur if there are legitimate reasons for multiple users to forward emails to the same destination, such as a shared mailbox or a team collaboration scenario. Next steps include further investigation and context analysis to determine the legitimacy of the forwarding rules. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects when multiple users have configured a forwarding rule to the same destination to proactively identify and investigate potential security risks related to email forwarding and take appropriate actions to protect the organization's data and prevent unauthorized access or data breaches. This detection is made by a Splunk query to O365 management activity logs with the operation `Set-Mailbox` to gather information about mailbox configurations. Then, the query uses the `spath` function to extract the parameters and rename the "Identity" field as "src_user" and searches for entries where the "ForwardingSmtpAddress" field is not empty, which indicates the presence of a forwarding rule. Next, the analytic uses the `stats` command to group the results by the forwarding email address and count the number of unique source users (`src_user`). Finally, it filters the results and only retains entries where the count of source users (`count_src_user`) is greater than 1, which indicates that multiple users have set up forwarding rules to the same destination. This detection is important because it suggests that multiple users are forwarding emails to the same destination without proper authorization, which can lead to the exposure of sensitive information, loss of data control, or unauthorized access to confidential emails. Investigating and addressing this issue promptly can help prevent data breaches and mitigate potential damage.indicates a potential security risk since multiple users forwarding emails to the same destination can be a sign of unauthorized access, data exfiltration, or a compromised account. Additionally, it also helps to determine if the forwarding rules are legitimate or if they indicate a security incident. False positives can occur if there are legitimate reasons for multiple users to forward emails to the same destination, such as a shared mailbox or a team collaboration scenario. Next steps include further investigation and context analysis to determine the legitimacy of the forwarding rules. action.escu.how_to_implement = You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity @@ -12810,10 +13430,10 @@ action.escu.full_search_name = ESCU - O365 Suspicious User Email Forwarding - Ru action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "Data Exfiltration"] +action.escu.analytic_story = ["Office 365 Collection Techniques", "Data Exfiltration"] action.risk = 1 action.risk.param._risk_message = User $user$ configured multiple users $src_user$ with a count of $count_src_user$, a forwarding rule to same destination $ForwardingSmtpAddress$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}, {"risk_object_field": "ForwardingSmtpAddress", "risk_object_type": "user", "risk_score": 48}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 48}, {"risk_object_field": "ForwardingSmtpAddress", "risk_object_type": "other", "risk_score": 48}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -12821,7 +13441,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Suspicious User Email Forwarding - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Collection Techniques", "Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114.003", "T1114"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -12838,7 +13458,7 @@ search = `o365_management_activity` Operation=Set-Mailbox | spath input=Paramete action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies instances where admin consent is granted to an application within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to the admin consent action within the AzureActiveDirectory workload. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies instances where admin consent is granted to an application within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to the admin consent action within the AzureActiveDirectory workload. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. @@ -12850,10 +13470,10 @@ action.escu.full_search_name = ESCU - O365 Tenant Wide Admin Consent Granted - R action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Office 365 Persistence Mechanisms"] +action.escu.analytic_story = ["Office 365 Persistence Mechanisms", "NOBELIUM Group"] action.risk = 1 action.risk.param._risk_message = The $object$ application registration was granted tenant wide admin consent. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 45}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -12861,7 +13481,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 Tenant Wide Admin Consent Granted - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Persistence Mechanisms", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -12878,13 +13498,13 @@ relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false -search = `o365_management_activity` Operation="Consent to application." | eval new_field=mvindex('ModifiedProperties{}.NewValue', 4) | rex field=new_field "ConsentType: (?[^\,]+)" | search ConsentType = "AllPrincipals" | stats max(_time) as lastTime by Operation, user, object, ObjectId, ConsentType | `security_content_ctime(lastTime)` | `o365_tenant_wide_admin_consent_granted_filter` +search = `o365_management_activity` Operation="Consent to application." | eval new_field=mvindex('ModifiedProperties{}.NewValue', 4) | rex field=new_field "ConsentType: (?[^\,]+)" | rex field=new_field "Scope: (?[^\,]+)" | search ConsentType = "AllPrincipals" | stats count min(_time) as firstTime max(_time) as lastTime by Operation, user, object, ObjectId, ConsentType, Scope | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_tenant_wide_admin_consent_granted_filter` [ESCU - O365 User Consent Blocked for Risky Application - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies instances where Office 365 has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where O365's built-in security measures have intervened. Applications that are flagged and blocked by O365 typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} action.escu.data_models = ["Risk"] action.escu.eli5 = The following analytic identifies instances where Office 365 has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where O365's built-in security measures have intervened. Applications that are flagged and blocked by O365 typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. @@ -12907,7 +13527,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 User Consent Blocked for Risky Application - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 100, "impact": 30, "mitre_attack": ["T1528"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 100, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -12930,7 +13550,7 @@ search = `o365_management_activity` Workload=AzureActiveDirectory Operation="Con action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Office 365 environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies instances where a user has actively denied consent to an OAuth application seeking permissions within the Office 365 environment. This suggests that the user either recognized something suspicious about the application or chose not to grant it the requested permissions for other reasons. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions. By filtering for denied consent actions associated with OAuth applications, the analytic captures instances where users have actively rejected permission requests. While user-denied consents can be routine, they can also be indicative of users spotting potentially suspicious or unfamiliar applications. By monitoring these denied consent attempts, security teams can gain insights into applications that might be perceived as risky or untrusted by users. It can also serve as a feedback loop for security awareness training, indicating that users are being cautious about granting permissions. If the detection is a true positive, it indicates that a user has actively prevented an OAuth application from gaining the permissions it requested. While this is a proactive security measure on the user's part, it's essential for security teams to review the context of the denial. Understanding why certain applications are being denied can help in refining application whitelisting policies and ensuring that no malicious applications are attempting to gain access. action.escu.how_to_implement = You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 events. @@ -12945,7 +13565,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Office 365 Account Takeover"] action.risk = 1 action.risk.param._risk_message = User $user$ denifed consent for an OAuth application. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 30}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -12953,7 +13573,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - O365 User Consent Denied for OAuth Application - Rule -action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 100, "impact": 30, "mitre_attack": ["T1528"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Office 365 Account Takeover"], "cis20": ["CIS 10"], "confidence": 100, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1528"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -12976,7 +13596,7 @@ search = `o365_graph` status.errorCode=65004 | rename userPrincipalName as user action.escu = 0 action.escu.enabled = 1 description = The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} action.escu.data_models = ["Risk"] action.escu.eli5 = The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. action.escu.how_to_implement = Ensure that all relevant detections in the Dev Sec Ops analytic stories are enabled and are configured to create risk events in Enterprise Security. @@ -12994,7 +13614,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RIR - Risk Rule for Dev Sec Ops by Repository - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -13017,7 +13637,7 @@ search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_ action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment. @@ -13040,7 +13660,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Abnormally High AWS Instances Launched by User - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -13057,7 +13677,7 @@ search = `cloudtrail` eventName=RunInstances errorCode=success | bucket span=10m action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment. @@ -13080,7 +13700,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Abnormally High AWS Instances Launched by User - MLTK - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -13097,7 +13717,7 @@ search = `cloudtrail` eventName=RunInstances errorCode=success `abnormally_high_ action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events where an abnormally high number of instances were successfully terminated by a user in a 10-minute window. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where an abnormally high number of instances were successfully terminated by a user in a 10-minute window. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. @@ -13120,7 +13740,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Abnormally High AWS Instances Terminated by User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS EC2 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS EC2 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -13137,7 +13757,7 @@ search = `cloudtrail` eventName=TerminateInstances errorCode=success | bucket sp action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events where a user successfully terminates an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where a user successfully terminates an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment. @@ -13160,7 +13780,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Abnormally High AWS Instances Terminated by User - MLTK - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS EC2 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS EC2 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -13177,7 +13797,7 @@ search = `cloudtrail` eventName=TerminateInstances errorCode=success `abnormally action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources. @@ -13201,7 +13821,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - AWS Cloud Provisioning From Previously Unseen City - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Suspicious Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1535"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Suspicious Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -13218,7 +13838,7 @@ search = `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceI action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources. @@ -13242,7 +13862,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - AWS Cloud Provisioning From Previously Unseen Country - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Suspicious Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1535"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Suspicious Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -13300,7 +13920,7 @@ search = `cloudtrail` (eventName=Run* OR eventName=Create*) [search `cloudtrail` action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS provisioning activities from previously unseen regions. Region in this context is similar to a state in the United States. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS provisioning activities from previously unseen regions. Region in this context is similar to a state in the United States. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources. @@ -13324,7 +13944,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - AWS Cloud Provisioning From Previously Unseen Region - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Suspicious Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1535"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Suspicious Provisioning Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -13376,7 +13996,7 @@ search = `aws_cloudwatchlogs_eks` objectRef.resource=secrets OR configmaps sourc action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS Queries over the time frame of the search. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Network_Resolution"] action.escu.eli5 = This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS Queries over the time frame of the search. action.escu.how_to_implement = This search requires that DNS data is being ingested and populating the `Network_Resolution` data model. This data can come from DNS logs or from solutions that parse network traffic for this data, such as Splunk Stream or Bro.\ @@ -13401,7 +14021,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Clients Connecting to Multiple DNS Servers - Rule -action.correlationsearch.annotations = {"analytic_story": ["DNS Hijacking", "Suspicious DNS Traffic", "Host Redirection", "Command And Control"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["DNS Hijacking", "Suspicious DNS Traffic", "Host Redirection", "Command And Control"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -13463,10 +14083,10 @@ search = `cloudtrail` eventName=DeleteNetworkAcl|rename userIdentity.arn as arn [ESCU - Correlation by Repository and Risk - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} +description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search has been deprecated and updated with Risk Rule for Dev Sec Ops by Repository detection. The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] -action.escu.eli5 = The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. +action.escu.eli5 = This search has been deprecated and updated with Risk Rule for Dev Sec Ops by Repository detection. The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. action.escu.how_to_implement = For Dev Sec Ops POC action.escu.known_false_positives = unknown action.escu.creation_date = 2021-09-06 @@ -13481,12 +14101,12 @@ cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - RIR - Correlation by Repository and Risk - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 100, "impact": 70, "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} +action.correlationsearch.label = ESCU - Deprecated - Correlation by Repository and Risk - Rule +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. +action.notable.param.rule_description = This search has been deprecated and updated with Risk Rule for Dev Sec Ops by Repository detection. The following analytic detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated. The analytic adds any null values and calculates the sum of the risk scores for each detection. Then, the analytic captures the source and user information for each detection and sorts the results in ascending order based on the risk score. Finally, the analytic filters the detections with a risk score below 80 and focuses only on high-risk detections.This detection is important because it provides valuable insights into the distribution of high-risk activities across different repositories. It also identifies the most vulnerable repositories that are frequently targeted by potential threats. Additionally, it proactively detects and responds to potential threats, thereby minimizing the impact of attacks and safeguarding critical assets. Finally, it provides a comprehensive view of the risk landscape and helps to make informed decisions to protect the organization's data and infrastructure. False positives might occur so it is important to identify the impact of the attack and prioritize response and mitigation efforts. action.notable.param.rule_title = RBA: Correlation by Repository and Risk action.notable.param.security_domain = network action.notable.param.severity = high @@ -13504,8 +14124,8 @@ search = `risk_index` | fillnull | stats sum(risk_score) as risk_score values(so [ESCU - Correlation by User and Risk - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic detects the correlation between the user and risk score and identifies users with a high risk score that pose a significant security risk such as unauthorized access attempts, suspicious behavior, or potential insider threats. Next, the analytic calculates the sum of the risk scores and groups the results by user, the corresponding signals, and the repository. The results are sorted in descending order based on the risk score and filtered to include records with a risk score greater than 80. Finally, the results are passed through a correlation filter specific to the user and risk. This detection is important because it identifies users who have a high risk score and helps to prioritize investigations and allocate resources. False positives might occur but the impact of such an attack can vary depending on the specific scenario such as data exfiltration, system compromise, or the disruption of critical services. Please investigate this notable event. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} +description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the correlation between the user and risk score and identifies users with a high risk score that pose a significant security risk such as unauthorized access attempts, suspicious behavior, or potential insider threats. Next, the analytic calculates the sum of the risk scores and groups the results by user, the corresponding signals, and the repository. The results are sorted in descending order based on the risk score and filtered to include records with a risk score greater than 80. Finally, the results are passed through a correlation filter specific to the user and risk. This detection is important because it identifies users who have a high risk score and helps to prioritize investigations and allocate resources. False positives might occur but the impact of such an attack can vary depending on the specific scenario such as data exfiltration, system compromise, or the disruption of critical services. Please investigate this notable event. +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the correlation between the user and risk score and identifies users with a high risk score that pose a significant security risk such as unauthorized access attempts, suspicious behavior, or potential insider threats. Next, the analytic calculates the sum of the risk scores and groups the results by user, the corresponding signals, and the repository. The results are sorted in descending order based on the risk score and filtered to include records with a risk score greater than 80. Finally, the results are passed through a correlation filter specific to the user and risk. This detection is important because it identifies users who have a high risk score and helps to prioritize investigations and allocate resources. False positives might occur but the impact of such an attack can vary depending on the specific scenario such as data exfiltration, system compromise, or the disruption of critical services. Please investigate this notable event. action.escu.how_to_implement = For Dev Sec Ops POC @@ -13522,8 +14142,8 @@ cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - RIR - Correlation by User and Risk - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 100, "impact": 70, "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} +action.correlationsearch.label = ESCU - Deprecated - Correlation by User and Risk - Rule +action.correlationsearch.annotations = {"analytic_story": ["Dev Sec Ops"], "cis20": ["CIS 13"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.003", "T1204"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -13546,7 +14166,7 @@ search = `risk_index` | fillnull | stats sum(risk_score) as risk_score values(so action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts at using the Pass-the-Hash technique. This search is DEPRECATED as it is possible for event code 4624 to generate a high level of noise, as legitimate logon events may also trigger this event code. This can be especially true in environments with high levels of user activity, such as those with many concurrent logons or frequent logon attempts. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1550", "T1550.002"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts at using the Pass-the-Hash technique. This search is DEPRECATED as it is possible for event code 4624 to generate a high level of noise, as legitimate logon events may also trigger this event code. This can be especially true in environments with high levels of user activity, such as those with many concurrent logons or frequent logon attempts. action.escu.how_to_implement = To successfully implement this search, you must ingest your Windows Security Event logs and leverage the latest TA for Windows. @@ -13564,7 +14184,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect Activity Related to Pass the Hash Attacks - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1550", "T1550.002"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -13622,7 +14242,7 @@ search = `cloudtrail` userIdentity.sessionContext.attributes.mfaAuthenticated=fa action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for successful AWS CloudTrail activity by user accounts that are not listed in the identity table or `aws_service_accounts.csv`. It returns event names and count, as well as the first and last time a specific user or service is detected, grouped by users. Deprecated because managing this list can be quite hard. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for successful AWS CloudTrail activity by user accounts that are not listed in the identity table or `aws_service_accounts.csv`. It returns event names and count, as well as the first and last time a specific user or service is detected, grouped by users. Deprecated because managing this list can be quite hard. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You must also populate the `identity_lookup_expanded` lookup shipped with the Asset and Identity framework to be able to look up users in your identity table in Enterprise Security (ES). Leverage the support search called "Create a list of approved AWS service accounts": run it once every 30 days to create and validate a list of service accounts.\ @@ -13646,7 +14266,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect AWS API Activities From Unapproved Accounts - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -13663,7 +14283,7 @@ search = `cloudtrail` errorCode=success | rename userName as identity | search N action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for DNS requests for phishing domains that are leveraging EvilGinx tools to mimic websites. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1566.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Network_Resolution", "Web"] action.escu.eli5 = This search looks for DNS requests for phishing domains that are leveraging EvilGinx tools to mimic websites. action.escu.how_to_implement = You need to ingest data from your DNS logs in the Network_Resolution datamodel. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You will have to add legitimate domain names to the `legit_domains.csv` file shipped with the app. \ @@ -13690,7 +14310,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect DNS requests to Phishing Sites leveraging EvilGinx2 - Rule -action.correlationsearch.annotations = {"analytic_story": ["Common Phishing Frameworks"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1566.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Common Phishing Frameworks"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -13713,7 +14333,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic. Deprecated because this detection should focus on DNS queries instead of DNS responses. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Network_Resolution"] action.escu.eli5 = This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic. Deprecated because this detection should focus on DNS queries instead of DNS responses. action.escu.how_to_implement = To successfully implement this search you need to ingest data from your DNS logs, or monitor DNS traffic using Stream, Bro or something similar. Specifically, this query requires that the DNS data model is populated with information regarding the DNS record type that is being returned as well as the data in the answer section of the protocol. @@ -13736,7 +14356,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect Long DNS TXT Record Response - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious DNS Traffic", "Command And Control"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious DNS Traffic", "Command And Control"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -13759,7 +14379,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for reading loaded Images unique to credential dumping with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for reading loaded Images unique to credential dumping with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code. action.escu.how_to_implement = This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 7 with powershell.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. @@ -13782,7 +14402,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect Mimikatz Using Loaded Images - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Detect Zerologon Attack", "Cloud Federated Credential Abuse", "DarkSide Ransomware", "CISA AA22-257A", "CISA AA22-264A", "CISA AA22-320A", "Sandworm Tools"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Detect Zerologon Attack", "Cloud Federated Credential Abuse", "DarkSide Ransomware", "CISA AA22-257A", "CISA AA22-264A", "CISA AA22-320A", "Sandworm Tools"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -13805,7 +14425,7 @@ search = `sysmon` EventCode=7 | stats values(ImageLoaded) as ImageLoaded values( action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for PowerShell requesting privileges consistent with credential dumping. Deprecated, looks like things changed from a logging perspective. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search looks for PowerShell requesting privileges consistent with credential dumping. Deprecated, looks like things changed from a logging perspective. action.escu.how_to_implement = You must be ingesting Windows Security logs. You must also enable the account change auditing here: http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/MonitorWindowseventlogdata. Additionally, this search requires you to enable your Group Management Audit Logs in your Local Windows Security Policy and to be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/. Finally, please make sure that the local administrator group name is "Administrators" to be able to look for the right group membership changes. @@ -13828,7 +14448,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect Mimikatz Via PowerShell And EventCode 4703 - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cloud Federated Credential Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Cloud Federated Credential Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -13851,7 +14471,7 @@ search = `wineventlog_security` signature_id=4703 Process_Name=*powershell.exe | action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search detects new API calls that have either never been seen before or that have not been seen in the previous hour, where the identity type is `AssumedRole`. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search detects new API calls that have either never been seen before or that have not been seen in the previous hour, where the identity type is `AssumedRole`. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously seen API call per user roles in AWS CloudTrail" support search once to create a history of previously seen user roles. @@ -13874,7 +14494,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect new API calls from user roles - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -13891,7 +14511,7 @@ search = `cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=A action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour. Deprecated now this search is updated to use the Authentication datamodel. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour. Deprecated now this search is updated to use the Authentication datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Run the "Previously seen users in AWS CloudTrail" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run "Update previously seen users in AWS CloudTrail" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. @@ -13909,7 +14529,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect new user AWS Console Login - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS Login Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious AWS Login Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -13926,7 +14546,7 @@ search = `cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search will detect users creating spikes of API activity in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search will detect users creating spikes of API activity in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.\ @@ -13955,7 +14575,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect Spike in AWS API Activity - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -13972,7 +14592,7 @@ search = `cloudtrail` eventType=AwsApiCall [search `cloudtrail` eventType=AwsApi action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search will detect users creating spikes in API activity related to network access-control lists (ACLs)in your AWS environment. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1562.007"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search will detect users creating spikes in API activity related to network access-control lists (ACLs)in your AWS environment. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of Network ACL Activity by ARN" support search once to create a lookup file of previously seen Network ACL Activity. To add or remove API event names related to network ACLs, edit the macro `network_acl_events`. @@ -13995,7 +14615,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect Spike in Network ACL Activity - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Network ACL Activity"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1562.007"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Network ACL Activity"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -14012,7 +14632,7 @@ search = `cloudtrail` `network_acl_events` [search `cloudtrail` `network_acl_eve action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search will detect users creating spikes in API activity related to security groups in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search will detect users creating spikes in API activity related to security groups in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.This search works best when you run the "Baseline of Security Group Activity by ARN" support search once to create a history of previously seen Security Group Activity. To add or remove API event names for security groups, edit the macro `security_group_api_calls`. @@ -14035,7 +14655,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect Spike in Security Group Activity - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS User Monitoring"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -14098,7 +14718,7 @@ search = | tstats `security_content_summariesonly` count earliest(_time) AS earl action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for web connections to dynamic DNS providers. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1071.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Web"] action.escu.eli5 = This search looks for web connections to dynamic DNS providers. action.escu.how_to_implement = This search requires you to be ingesting web-traffic logs. You can obtain these logs from indexing data from a web proxy or by using a network-traffic-analysis tool, such as Bro or Splunk Stream. The web data model must contain the URL being requested, the IP address of the host initiating the request, and the destination IP. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of dynamic DNS providers. Consider periodically updating this local lookup file with new domains.\ @@ -14123,7 +14743,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detect web traffic to dynamic domain providers - Rule -action.correlationsearch.annotations = {"analytic_story": ["Dynamic DNS"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1071.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Dynamic DNS"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -14147,7 +14767,7 @@ action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting an unusually large volume of DNS traffic. \ NOTE:Deprecated because existing detection is doing the same. This detection is replaced with two other variations, if you are using MLTK then you can use this search `ESCU - DNS Query Length Outliers - MLTK - Rule` or use the standard deviation version `ESCU - DNS Query Length With High Standard Deviation - Rule`, as an alternantive. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Network_Resolution"] action.escu.eli5 = This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting an unusually large volume of DNS traffic. \ NOTE:Deprecated because existing detection is doing the same. This detection is replaced with two other variations, if you are using MLTK then you can use this search `ESCU - DNS Query Length Outliers - MLTK - Rule` or use the standard deviation version `ESCU - DNS Query Length With High Standard Deviation - Rule`, as an alternantive. @@ -14171,7 +14791,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Detection of DNS Tunnels - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Protection", "Suspicious DNS Traffic", "Command And Control"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Data Protection", "Suspicious DNS Traffic", "Command And Control"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -14195,7 +14815,7 @@ search = | tstats `security_content_summariesonly` dc("DNS.query") as count fro action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1071.004"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004"], "nist": ["DE.CM"]} action.escu.data_models = ["Network_Resolution"] action.escu.eli5 = This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework. action.escu.how_to_implement = To successfully implement this search you will need to ensure that DNS data is populating the Network_Resolution data model. It also requires that your DNS servers are identified correctly in the Assets and Identity table of Enterprise Security. @@ -14218,7 +14838,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule -action.correlationsearch.annotations = {"analytic_story": ["DNS Hijacking", "Suspicious DNS Traffic", "Host Redirection", "Command And Control"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1071.004"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["DNS Hijacking", "Suspicious DNS Traffic", "Host Redirection", "Command And Control"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -14241,7 +14861,7 @@ search = | tstats `security_content_summariesonly` count from datamodel=Network_ action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The search takes the DNS records and their answers results of the discovered_dns_records lookup and finds if any records have changed by searching DNS response from the Network_Resolution datamodel across the last day. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1071.004"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004"], "nist": ["DE.CM"]} action.escu.data_models = ["Network_Resolution"] action.escu.eli5 = The search takes the DNS records and their answers results of the discovered_dns_records lookup and finds if any records have changed by searching DNS response from the Network_Resolution datamodel across the last day. action.escu.how_to_implement = To successfully implement this search you will need to ensure that DNS data is populating the `Network_Resolution` data model. It also requires that the `discover_dns_record` lookup table be populated by the included support search "Discover DNS record". \ @@ -14268,7 +14888,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - DNS record changed - Rule -action.correlationsearch.annotations = {"analytic_story": ["DNS Hijacking"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1071.004"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["DNS Hijacking"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1071.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -14292,7 +14912,7 @@ action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. Detect a renamed instance of procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. Modify the query as needed.\ During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = Detect a renamed instance of procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. Modify the query as needed.\ During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe. @@ -14311,7 +14931,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Dump LSASS via procdump Rename - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "HAFNIUM Group", "CISA AA22-257A"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1003.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "HAFNIUM Group", "CISA AA22-257A"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -14328,7 +14948,7 @@ search = `sysmon` OriginalFileName=procdump process_name!=procdump*.exe EventI action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for EC2 instances being modified by users who have not previously modified them. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for EC2 instances being modified by users who have not previously modified them. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Launches By User" support search once to create a history of previously seen ARNs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`. @@ -14351,7 +14971,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - EC2 Instance Modified With Previously Unseen User - Rule -action.correlationsearch.annotations = {"analytic_story": ["Unusual AWS EC2 Modifications"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Unusual AWS EC2 Modifications"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -14368,7 +14988,7 @@ search = `cloudtrail` `ec2_modification_api_calls` [search `cloudtrail` `ec2_mod action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for AWS CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for AWS CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Run the "Previously seen AWS Regions" support search only once to create of baseline of previously seen regions. This search is deprecated and have been translated to use the latest Change Datamodel. @@ -14391,7 +15011,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - EC2 Instance Started In Previously Unseen Region - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1535"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1535"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -14488,7 +15108,7 @@ search = `cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunI action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for EC2 instances being created by users who have not created them before. This search is deprecated and have been translated to use the latest Change Datamodel. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for EC2 instances being created by users who have not created them before. This search is deprecated and have been translated to use the latest Change Datamodel. action.escu.how_to_implement = You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Launches By User" support search once to create a history of previously seen ARNs. @@ -14511,7 +15131,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - EC2 Instance Started With Previously Unseen User - Rule -action.correlationsearch.annotations = {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -14528,7 +15148,7 @@ search = `cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunI action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for processes launched from files with at least five spaces in the name before the extension. This is typically done to obfuscate the file extension by pushing it outside of the default view. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1036.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for processes launched from files with at least five spaces in the name before the extension. This is typically done to obfuscate the file extension by pushing it outside of the default view. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -14551,7 +15171,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Execution of File With Spaces Before Extension - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows File Extension and Association Abuse", "Masquerading - Rename System Utilities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1036.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows File Extension and Association Abuse", "Masquerading - Rename System Utilities"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -14609,7 +15229,7 @@ search = `netbackup` MESSAGE="Disk/Partition backup completed successfully." | s action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for command-line arguments that use a `/c` parameter to execute a command that has not previously been seen. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.001", "T1059.003"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059.003"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for command-line arguments that use a `/c` parameter to execute a command that has not previously been seen. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -14627,7 +15247,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - First time seen command line argument - Rule -action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A", "Suspicious Command-Line Executions", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Hidden Cobra Malware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1059.001", "T1059.003"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A", "Suspicious Command-Line Executions", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Hidden Cobra Malware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -14644,7 +15264,7 @@ search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_ action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides detection of accounts with high risk roles by projects. Compromised accounts with high risk roles can move laterally or even scalate privileges at different projects depending on organization schema. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Email"] action.escu.eli5 = This search provides detection of accounts with high risk roles by projects. Compromised accounts with high risk roles can move laterally or even scalate privileges at different projects depending on organization schema. action.escu.how_to_implement = You must install splunk GCP add-on. This search works with gcp:pubsub:message logs @@ -14662,7 +15282,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - GCP Detect accounts with high risk roles by project - Rule -action.correlationsearch.annotations = {"analytic_story": ["GCP Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["GCP Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -14679,7 +15299,7 @@ search = `google_gcp_pubsub_message` data.protoPayload.request.policy.bindings{} action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides detection of high risk permissions by resource and accounts. These are permissions that can allow attackers with compromised accounts to move laterally and escalate privileges. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = ["Email"] action.escu.eli5 = This search provides detection of high risk permissions by resource and accounts. These are permissions that can allow attackers with compromised accounts to move laterally and escalate privileges. action.escu.how_to_implement = You must install splunk GCP add-on. This search works with gcp:pubsub:message logs @@ -14697,7 +15317,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - GCP Detect high risk permissions by resource and account - Rule -action.correlationsearch.annotations = {"analytic_story": ["GCP Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["GCP Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -14714,7 +15334,7 @@ search = `google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.permi action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides detection of possible GCP Oauth token abuse. GCP Oauth token without time limit can be exfiltrated and reused for keeping access sessions alive without further control of authentication, allowing attackers to access and move laterally. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides detection of possible GCP Oauth token abuse. GCP Oauth token without time limit can be exfiltrated and reused for keeping access sessions alive without further control of authentication, allowing attackers to access and move laterally. action.escu.how_to_implement = You must install splunk GCP add-on. This search works with gcp:pubsub:message logs @@ -14732,7 +15352,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - gcp detect oauth token abuse - Rule -action.correlationsearch.annotations = {"analytic_story": ["GCP Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["GCP Cross Account Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -14749,7 +15369,7 @@ search = `google_gcp_pubsub_message` type.googleapis.com/google.cloud.audit.Audi action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} action.escu.data_models = ["Email"] action.escu.eli5 = This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster action.escu.how_to_implement = You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. You must also install Cloud Infrastructure data model.Customize the macro kubernetes_gcp_scan_fingerprint_attack_detection to filter out FPs. @@ -14772,7 +15392,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - GCP Kubernetes cluster scan detection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Scanning Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1526"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Scanning Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -14795,7 +15415,7 @@ search = `google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerIp! action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This detection search will help profile user accounts in your environment by identifying newly created accounts that have been added to your network in the past week. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078.002"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection search will help profile user accounts in your environment by identifying newly created accounts that have been added to your network in the past week. action.escu.how_to_implement = To successfully implement this search, you need to be populating the Enterprise Security Identity_Management data model in the assets and identity framework. @@ -14813,7 +15433,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Identify New User Accounts - Rule -action.correlationsearch.annotations = {"analytic_story": ["Account Monitoring and Controls"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078.002"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Account Monitoring and Controls"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -14861,6 +15481,41 @@ realtime_schedule = 0 is_visible = false search = `aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts objectRef.resource=pods | table sourceIPs{} user.username userAgent verb annotations.authorization.k8s.io/decision | top sourceIPs{} user.username verb annotations.authorization.k8s.io/decision |`kubernetes_aws_detect_most_active_service_accounts_by_pod_filter` +[ESCU - Kubernetes AWS detect RBAC authorization by account - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences +action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} +action.escu.data_models = [] +action.escu.eli5 = This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences +action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs +action.escu.known_false_positives = Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted. +action.escu.creation_date = 2020-06-23 +action.escu.modification_date = 2020-06-23 +action.escu.confidence = high +action.escu.full_search_name = ESCU - Kubernetes AWS detect RBAC authorization by account - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["Kubernetes Sensitive Role Activity"] +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - Deprecated - Kubernetes AWS detect RBAC authorization by account - Rule +action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Role Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} +schedule_window = auto +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = `aws_cloudwatchlogs_eks` annotations.authorization.k8s.io/reason=* | table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason | stats count by user.username annotations.authorization.k8s.io/reason | rare user.username annotations.authorization.k8s.io/reason |`kubernetes_aws_detect_rbac_authorization_by_account_filter` + [ESCU - Kubernetes AWS detect sensitive role access - Rule] action.escu = 0 action.escu.enabled = 1 @@ -15180,7 +15835,7 @@ search = `kubernetes_azure` category=kube-audit | spath input=properties.log | s action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster in Azure -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster in Azure action.escu.how_to_implement = You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics @@ -15198,7 +15853,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Kubernetes Azure scan fingerprint - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Scanning Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1526"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Scanning Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1526"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -15563,7 +16218,7 @@ search = | from datamodel Alerts.Alerts | search app=osquery:results (name=pack_ action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for processes launching netsh.exe to execute various commands via the netsh command-line utility. Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper .dll when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe that are executing commands via the command line. Deprecated because we have another detection of the same type. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.004"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for processes launching netsh.exe to execute various commands via the netsh command-line utility. Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper .dll when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe that are executing commands via the command line. Deprecated because we have another detection of the same type. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -15586,7 +16241,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Processes created by netsh - Rule -action.correlationsearch.annotations = {"analytic_story": ["Netsh Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1562.004"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Netsh Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -15644,7 +16299,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The search looks for command-line arguments used to hide a file or directory using the reg add command. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1564.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks for command-line arguments used to hide a file or directory using the reg add command. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -15667,7 +16322,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Reg exe used to hide files directories via registry keys - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Suspicious Windows Registry Activities", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1564.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Suspicious Windows Registry Activities", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -15736,7 +16391,7 @@ search = | tstats `security_content_summariesonly` count values(Registry.registr action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for flags passed to schtasks.exe on the command-line that indicate that task names related to the execution of Bad Rabbit ransomware were created or deleted. Deprecated because we already have a similar detection -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for flags passed to schtasks.exe on the command-line that indicate that task names related to the execution of Bad Rabbit ransomware were created or deleted. Deprecated because we already have a similar detection action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -15759,7 +16414,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Scheduled tasks used in BadRabbit ransomware - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -15874,7 +16529,7 @@ search = index=_internal sourcetype=splunkd_ui_access server-info | search clien action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for changes to registry values that control Windows file associations, executed by a process that is not typical for legitimate, routine changes to this area. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for changes to registry values that control Windows file associations, executed by a process that is not typical for legitimate, routine changes to this area. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -15897,7 +16552,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Suspicious Changes to File Associations - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Windows Registry Activities", "Windows File Extension and Association Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1546.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Windows Registry Activities", "Windows File Extension and Association Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -15920,7 +16575,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This detection looks for emails that are suspicious because of their sender, domain rareness, or behavior differences. This is an anomaly generated by Splunk User Behavior Analytics (UBA). -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} action.escu.data_models = ["Email", "UEBA"] action.escu.eli5 = This detection looks for emails that are suspicious because of their sender, domain rareness, or behavior differences. This is an anomaly generated by Splunk User Behavior Analytics (UBA). action.escu.how_to_implement = You must be ingesting data from email logs and have Splunk integrated with UBA. This anomaly is raised by a UBA detection model called "SuspiciousEmailDetectionModel." Ensure that this model is enabled on your UBA instance. @@ -15943,7 +16598,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Suspicious Email - UBA Anomaly - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Emails"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1566"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Emails"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -15995,7 +16650,7 @@ search = | tstats `security_content_summariesonly` count values(Filesystem.actio action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for PowerShell processes started with a base64 encoded command-line passed to it, with parameters to modify the execution policy for the process, and those that prevent the display of an interactive prompt to the user. This combination of command-line options is suspicious because it overrides the default PowerShell execution policy, attempts to hide itself from the user, and passes an encoded script to be run on the command-line. Deprecated because almost the same as Malicious PowerShell Process - Encoded Command -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for PowerShell processes started with a base64 encoded command-line passed to it, with parameters to modify the execution policy for the process, and those that prevent the display of an interactive prompt to the user. This combination of command-line options is suspicious because it overrides the default PowerShell execution policy, attempts to hide itself from the user, and passes an encoded script to be run on the command-line. Deprecated because almost the same as Malicious PowerShell Process - Encoded Command action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -16018,7 +16673,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Suspicious Powershell Command-Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "CISA AA22-320A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1059.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "CISA AA22-320A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -16041,7 +16696,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The following hunting analytic identifies renamed instances of rundll32.exe executing. rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, validate it is the legitimate rundll32.exe executing and what script content it is loading. This query relies on the original filename or internal name from the PE meta data. Expand the query as needed by looking for specific command line arguments outlined in other analytics. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1036", "T1218.011", "T1036.003"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1036", "T1218.011", "T1036.003"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following hunting analytic identifies renamed instances of rundll32.exe executing. rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, validate it is the legitimate rundll32.exe executing and what script content it is loading. This query relies on the original filename or internal name from the PE meta data. Expand the query as needed by looking for specific command line arguments outlined in other analytics. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -16059,7 +16714,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Suspicious Rundll32 Rename - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Masquerading - Rename System Utilities"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1218", "T1036", "T1218.011", "T1036.003"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Masquerading - Rename System Utilities"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1036", "T1218.011", "T1036.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -16076,7 +16731,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search detects writes to the 'System Volume Information' folder by something other than the System process. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search detects writes to the 'System Volume Information' folder by something other than the System process. action.escu.how_to_implement = You need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -16094,7 +16749,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Suspicious writes to System Volume Information - Rule -action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1036"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -16111,7 +16766,7 @@ search = (`sysmon` OR tag=process) EventCode=11 process_id!=4 file_path=*System\ action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search looks for applications on the endpoint that you have marked as uncommon. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1204.002"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.002"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for applications on the endpoint that you have marked as uncommon. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -16129,7 +16784,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Uncommon Processes On Endpoint - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Privilege Escalation", "Unusual Processes", "Hermetic Wiper"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1204.002"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Privilege Escalation", "Unusual Processes", "Hermetic Wiper"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -16146,7 +16801,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search detects loading of unsigned images by LSASS. Deprecated because too noisy. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search detects loading of unsigned images by LSASS. Deprecated because too noisy. action.escu.how_to_implement = This search needs Sysmon Logs with a sysmon configuration, which includes EventCode 7 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. @@ -16169,7 +16824,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Unsigned Image Loaded by LSASS - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -16227,7 +16882,7 @@ search = `netbackup` | stats latest(_time) as latestTime by COMPUTERNAME, MESSAG action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search is used to identify the creation of multiple user accounts using the same email domain name. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1136"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is used to identify the creation of multiple user accounts using the same email domain name. action.escu.how_to_implement = We start with a dataset that provides visibility into the email address used for the account creation. In this example, we are narrowing our search down to the single web page that hosts the Magento2 e-commerce platform (via URI) used for account creation, the single http content-type to grab only the user's clicks, and the http field that provides the username (form_data), for performance reasons. After we have the username and email domain, we look for numerous account creations per email domain. Common data sources used for this detection are customized Apache logs or Splunk Stream. @@ -16250,7 +16905,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Web Fraud - Account Harvesting - Rule -action.correlationsearch.annotations = {"analytic_story": ["Web Fraud Detection"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1136"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Web Fraud Detection"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -16273,7 +16928,7 @@ search = `stream_http` http_content_type=text* uri="/magento2/customer/account/l action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search is used to examine web sessions to identify those where the clicks are occurring too quickly for a human or are occurring with a near-perfect cadence (high periodicity or low standard deviation), resembling a script driven session. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is used to examine web sessions to identify those where the clicks are occurring too quickly for a human or are occurring with a near-perfect cadence (high periodicity or low standard deviation), resembling a script driven session. action.escu.how_to_implement = Start with a dataset that allows you to see clickstream data for each user click on the website. That data must have a time stamp and must contain a reference to the session identifier being used by the website. This ties the clicks together into clickstreams. This value is usually found in the http cookie. With a bit of tuning, a version of this search could be used in high-volume scenarios, such as scraping, crawling, application DDOS, credit-card testing, account takeover, etc. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream. @@ -16296,7 +16951,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Web Fraud - Anomalous User Clickspeed - Rule -action.correlationsearch.annotations = {"analytic_story": ["Web Fraud Detection"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Web Fraud Detection"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -16353,7 +17008,7 @@ search = `stream_http` http_content_type=text* uri=/magento2/customer/account/lo action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. The search looks for the Console Window Host process (connhost.exe) executed using the force flag -ForceV1. This is not regular behavior in the Windows OS and is often seen executed by the Ryuk Ransomware. DEPRECATED This event is actually seen in the windows 10 client of attack_range_local. After further testing we realized this is not specific to Ryuk. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks for the Console Window Host process (connhost.exe) executed using the force flag -ForceV1. This is not regular behavior in the Windows OS and is often seen executed by the Ryuk Ransomware. DEPRECATED This event is actually seen in the windows 10 client of attack_range_local. After further testing we realized this is not specific to Ryuk. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -16376,7 +17031,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deprecated - Windows connhost exe started forcefully - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ryuk Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1059.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ryuk Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -16445,7 +17100,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The analytic provided below employs the Network_Resolution datamodel to detect domain indicators associated with the 3CX supply chain attack. By leveraging this query, you can efficiently conduct retrospective analysis of your data to uncover potential compromises. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1195.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Network_Resolution"] action.escu.eli5 = The analytic provided below employs the Network_Resolution datamodel to detect domain indicators associated with the 3CX supply chain attack. By leveraging this query, you can efficiently conduct retrospective analysis of your data to uncover potential compromises. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information into the `Network Resolution` datamodel in the `DNS` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA''s are installed. @@ -16460,7 +17115,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["3CX Supply Chain Attack"] action.risk = 1 action.risk.param._risk_message = Indicators related to 3CX supply chain attack have been identified on $src$. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 100}, {"threat_object_field": "query", "threat_object_type": "url string"}] +action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 100}, {"threat_object_field": "query", "threat_object_type": "url"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -16468,7 +17123,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - 3CX Supply Chain Attack Network Indicators - Rule -action.correlationsearch.annotations = {"analytic_story": ["3CX Supply Chain Attack"], "cis20": ["CIS 13"], "confidence": 100, "cve": ["CVE-2023-29059"], "impact": 100, "mitre_attack": ["T1195.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["3CX Supply Chain Attack"], "cis20": ["CIS 13"], "confidence": 100, "cve": ["CVE-2023-29059"], "impact": 100, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -16491,7 +17146,7 @@ search = | tstats `security_content_summariesonly` values(DNS.answer) as IPs min action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious 7z process with commandline pointing to SMB network share. This technique was seen in CONTI LEAK tools where it use 7z to archive a sensitive files and place it in network share tmp folder. This search is a good hunting query that may give analyst a hint why specific user try to archive a file pointing to SMB user which is un usual. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious 7z process with commandline pointing to SMB network share. This technique was seen in CONTI LEAK tools where it use 7z to archive a sensitive files and place it in network share tmp folder. This search is a good hunting query that may give analyst a hint why specific user try to archive a file pointing to SMB user which is un usual. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -16509,7 +17164,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - 7zip CommandLine To SMB Share Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -16526,7 +17181,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the dumping of the LSASS process memory, which occurs during credential dumping attacks.The detection is made by using Sysmon logs, specifically EventCode 10, which is related to lsass.exe. This helps to search for indicators of LSASS memory dumping such as specific call traces to dbgcore.dll and dbghelp.dll. This detection is important because it prevents credential dumping attacks and the theft of sensitive information such as login credentials, which can be used to gain unauthorized access to systems and data. False positives might occur due to legitimate administrative tasks. Next steps include reviewing and investigating each case, given the high risk associated with potential credential dumping attacks. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the dumping of the LSASS process memory, which occurs during credential dumping attacks.The detection is made by using Sysmon logs, specifically EventCode 10, which is related to lsass.exe. This helps to search for indicators of LSASS memory dumping such as specific call traces to dbgcore.dll and dbghelp.dll. This detection is important because it prevents credential dumping attacks and the theft of sensitive information such as login credentials, which can be used to gain unauthorized access to systems and data. False positives might occur due to legitimate administrative tasks. Next steps include reviewing and investigating each case, given the high risk associated with potential credential dumping attacks. action.escu.how_to_implement = This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. @@ -16549,7 +17204,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Access LSASS Memory for Dump Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Credential Dumping"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Credential Dumping"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -16572,7 +17227,7 @@ search = `sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR action.escu = 0 action.escu.enabled = 1 description = This search is to detect a potential account discovery series of command used by several malware or attack to recon the target machine. This technique is also seen in some note worthy malware like trickbot where it runs a cmd process, or even drop its module that will execute the said series of net command. This series of command are good correlation search and indicator of attacker recon if seen in the machines within a none technical user or department (HR, finance, ceo and etc) network. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a potential account discovery series of command used by several malware or attack to recon the target machine. This technique is also seen in some note worthy malware like trickbot where it runs a cmd process, or even drop its module that will execute the said series of net command. This series of command are good correlation search and indicator of attacker recon if seen in the machines within a none technical user or department (HR, finance, ceo and etc) network. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -16595,7 +17250,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Account Discovery With Net App - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trickbot", "IcedID"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Trickbot", "IcedID"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -16618,7 +17273,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as action.escu = 0 action.escu.enabled = 1 description = The primary objective of this correlation rule is to detect and alert on potential lateral movement activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Lateral Movement analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Lateral Movement analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} action.escu.data_models = ["Risk"] action.escu.eli5 = The primary objective of this correlation rule is to detect and alert on potential lateral movement activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Lateral Movement analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Lateral Movement analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization. action.escu.how_to_implement = Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. @@ -16636,7 +17291,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RIR - Active Directory Lateral Movement Identified - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1210"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -16659,7 +17314,7 @@ search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_ action.escu = 0 action.escu.enabled = 1 description = The primary objective of this correlation rule is to detect and alert on potential privilege escalation activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Privilege Escalation analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Privilege Escalation analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1484"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484"], "nist": ["DE.AE"]} action.escu.data_models = ["Risk"] action.escu.eli5 = The primary objective of this correlation rule is to detect and alert on potential privilege escalation activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Privilege Escalation analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Privilege Escalation analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization. action.escu.how_to_implement = Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. @@ -16677,7 +17332,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RIR - Active Directory Privilege Escalation Identified - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1484"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -16700,7 +17355,7 @@ search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_ action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious modification of the active setup registry for persistence and privilege escalation. This technique was seen in several malware (poisonIvy), adware and APT to gain persistence to the compromised machine upon boot up. This TTP is a good indicator to further check the process id that do the modification since modification of this registry is not commonly done. check the legitimacy of the file and process involve in this rules to check if it is a valid setup installer that creating or modifying this registry. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.014", "T1547"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.014", "T1547"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious modification of the active setup registry for persistence and privilege escalation. This technique was seen in several malware (poisonIvy), adware and APT to gain persistence to the compromised machine upon boot up. This TTP is a good indicator to further check the process id that do the modification since modification of this registry is not commonly done. check the legitimacy of the file and process involve in this rules to check if it is a valid setup installer that creating or modifying this registry. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -16723,7 +17378,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Active Setup Registry Autostart - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Windows Privilege Escalation", "Hermetic Wiper", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1547.014", "T1547"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Windows Privilege Escalation", "Hermetic Wiper", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.014", "T1547"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -16746,7 +17401,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -16769,7 +17424,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Add DefaultUser And Password In Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackMatter Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["BlackMatter Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -16786,7 +17441,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This analytic will identify a suspicious process command-line related to Windows Defender exclusion feature. This command is abused by adversaries, malware authors and red teams to bypass Windows Defender Antivirus products by excluding folder path, file path, process and extensions. From its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic will identify a suspicious process command-line related to Windows Defender exclusion feature. This command is abused by adversaries, malware authors and red teams to bypass Windows Defender Antivirus products by excluding folder path, file path, process and extensions. From its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -16809,7 +17464,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Add or Set Windows Defender Exclusion - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-320A", "AgentTesla", "Remcos", "Windows Defense Evasion Tactics", "Data Destruction", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-320A", "AgentTesla", "Remcos", "Windows Defense Evasion Tactics", "Data Destruction", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -16832,7 +17487,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. @@ -16855,7 +17510,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - AdsiSearcher Account Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Industroyer2", "Active Directory Discovery", "CISA AA23-347A", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Industroyer2", "Active Directory Discovery", "CISA AA23-347A", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -16878,7 +17533,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" Script action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious modification of firewall to allow file and printer sharing. This technique was seen in ransomware to be able to discover more machine connected to the compromised host to encrypt more files -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious modification of firewall to allow file and printer sharing. This technique was seen in ransomware to be able to discover more machine connected to the compromised host to encrypt more files action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -16901,7 +17556,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Allow File And Printing Sharing In Firewall - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -16924,7 +17579,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -16947,7 +17602,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse", "Azorult", "NjRAT", "PlugX"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse", "Azorult", "NjRAT", "PlugX"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -16970,7 +17625,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies suspicious PowerShell command to allow inbound traffic inbound to a specific local port within the public profile. This technique was seen in some attacker want to have a remote access to a machine by allowing the traffic in firewall rule. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies suspicious PowerShell command to allow inbound traffic inbound to a specific local port within the public profile. This technique was seen in some attacker want to have a remote access to a machine by allowing the traffic in firewall rule. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. @@ -16993,7 +17648,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Allow Inbound Traffic In Firewall Rule - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch"], "cis20": ["CIS 10"], "confidence": 30, "impact": 10, "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch"], "cis20": ["CIS 10"], "confidence": 30, "impact": 10, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -17016,7 +17671,7 @@ search = `powershell` EventCode=4104 Message = "*firewall*" Message = "*Inbound* action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious modification to the firewall to allow network discovery on a machine. This technique was seen in couple of ransomware (revil, reddot) to discover other machine connected to the compromised host to encrypt more files. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious modification to the firewall to allow network discovery on a machine. This technique was seen in couple of ransomware (revil, reddot) to discover other machine connected to the compromised host to encrypt more files. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -17039,7 +17694,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Allow Network Discovery In Firewall - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware", "BlackByte Ransomware", "NjRAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware", "BlackByte Ransomware", "NjRAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.007", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -17062,7 +17717,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic identifies a potential privilege escalation attempt to perform malicious task. This registry modification is designed to allow the `Consent Admin` to perform an operation that requires elevation without consent or credentials. We also found this in some attacker to gain privilege escalation to the compromise machine. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies a potential privilege escalation attempt to perform malicious task. This registry modification is designed to allow the `Consent Admin` to perform an operation that requires elevation without consent or credentials. We also found this in some attacker to gain privilege escalation to the compromise machine. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -17085,7 +17740,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Allow Operation with Consent Admin - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Windows Registry Abuse", "Azorult"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1548"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Windows Registry Abuse", "Azorult"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -17108,7 +17763,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = The following detection identifies a 7z.exe spawned from `Rundll32.exe` or `Dllhost.exe`. It is assumed that the adversary has brought in `7z.exe` and `7z.dll`. It has been observed where an adversary will rename `7z.exe`. Additional coverage may be required to identify the behavior of renamed instances of `7z.exe`. During triage, identify the source of injection into `Rundll32.exe` or `Dllhost.exe`. Capture any files written to disk and analyze as needed. Review parallel processes for additional behaviors. Typically, archiving files will result in exfiltration. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following detection identifies a 7z.exe spawned from `Rundll32.exe` or `Dllhost.exe`. It is assumed that the adversary has brought in `7z.exe` and `7z.dll`. It has been observed where an adversary will rename `7z.exe`. Additional coverage may be required to identify the behavior of renamed instances of `7z.exe`. During triage, identify the source of injection into `Rundll32.exe` or `Dllhost.exe`. Capture any files written to disk and analyze as needed. Review parallel processes for additional behaviors. Typically, archiving files will result in exfiltration. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -17131,7 +17786,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Anomalous usage of 7zip - Rule -action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group", "BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group", "BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -17148,7 +17803,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of PowerShell downloading a file using `DownloadFile` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Command and Control"], "mitre_attack": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of PowerShell downloading a file using `DownloadFile` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -17160,7 +17815,7 @@ action.escu.full_search_name = ESCU - Any Powershell DownloadFile - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkCrystal RAT", "Ingress Tool Transfer", "Hermetic Wiper", "Malicious PowerShell", "Data Destruction", "Log4Shell CVE-2021-44228"] +action.escu.analytic_story = ["DarkCrystal RAT", "Ingress Tool Transfer", "Hermetic Wiper", "Malicious PowerShell", "Data Destruction", "Log4Shell CVE-2021-44228", "Phemedrone Stealer"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadFile within PowerShell. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 56}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 56}] @@ -17171,7 +17826,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Any Powershell DownloadFile - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkCrystal RAT", "Ingress Tool Transfer", "Hermetic Wiper", "Malicious PowerShell", "Data Destruction", "Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-44228"], "impact": 80, "mitre_attack": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["DarkCrystal RAT", "Ingress Tool Transfer", "Hermetic Wiper", "Malicious PowerShell", "Data Destruction", "Log4Shell CVE-2021-44228", "Phemedrone Stealer"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-44228"], "impact": 80, "kill_chain_phases": ["Installation", "Command and Control"], "mitre_attack": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -17194,7 +17849,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of PowerShell downloading a file using `DownloadString` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Command and Control"], "mitre_attack": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of PowerShell downloading a file using `DownloadString` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -17206,7 +17861,7 @@ action.escu.full_search_name = ESCU - Any Powershell DownloadString - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Winter Vivern", "Ingress Tool Transfer", "Hermetic Wiper", "Malicious PowerShell", "HAFNIUM Group", "Data Destruction", "IcedID", "SysAid On-Prem Software CVE-2023-47246 Vulnerability"] +action.escu.analytic_story = ["Winter Vivern", "Ingress Tool Transfer", "Hermetic Wiper", "Malicious PowerShell", "HAFNIUM Group", "Data Destruction", "IcedID", "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "Phemedrone Stealer"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadString within PowerShell. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 56}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 56}] @@ -17217,7 +17872,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Any Powershell DownloadString - Rule -action.correlationsearch.annotations = {"analytic_story": ["Winter Vivern", "Ingress Tool Transfer", "Hermetic Wiper", "Malicious PowerShell", "HAFNIUM Group", "Data Destruction", "IcedID", "SysAid On-Prem Software CVE-2023-47246 Vulnerability"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "mitre_attack": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Winter Vivern", "Ingress Tool Transfer", "Hermetic Wiper", "Malicious PowerShell", "HAFNIUM Group", "Data Destruction", "IcedID", "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "Phemedrone Stealer"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Installation", "Command and Control"], "mitre_attack": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -17240,7 +17895,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the use of tools that are commonly exploited by cybercriminals since these tools are usually associated with malicious activities such as unauthorized access, network scanning, or data exfiltration and pose a significant threat to an organization's security infrastructure. It also provides enhanced visibility into potential security threats and helps to proactively detect and respond to mitigate the risks associated with cybercriminal activities. This detection is made by examining the process activity on the host, specifically focusing on processes that are known to be associated with attacker tool names. This detection is important because it acts as an early warning system for potential security incidents that allows you to respond to security incidents promptly. False positives might occur due to legitimate administrative activities that can resemble malicious actions. You must develop a comprehensive understanding of typical endpoint activities and behaviors within the organization to accurately interpret and respond to the alerts generated by this analytic. This ensures a proper balance between precision and minimizing false positives. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1036.005", "T1036", "T1003", "T1595"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Reconnaissance"], "mitre_attack": ["T1036.005", "T1036", "T1003", "T1595"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the use of tools that are commonly exploited by cybercriminals since these tools are usually associated with malicious activities such as unauthorized access, network scanning, or data exfiltration and pose a significant threat to an organization's security infrastructure. It also provides enhanced visibility into potential security threats and helps to proactively detect and respond to mitigate the risks associated with cybercriminal activities. This detection is made by examining the process activity on the host, specifically focusing on processes that are known to be associated with attacker tool names. This detection is important because it acts as an early warning system for potential security incidents that allows you to respond to security incidents promptly. False positives might occur due to legitimate administrative activities that can resemble malicious actions. You must develop a comprehensive understanding of typical endpoint activities and behaviors within the organization to accurately interpret and respond to the alerts generated by this analytic. This ensures a proper balance between precision and minimizing false positives. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -17263,7 +17918,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Attacker Tools On Endpoint - Rule -action.correlationsearch.annotations = {"analytic_story": ["Monitor for Unauthorized Software", "XMRig", "SamSam Ransomware", "Unusual Processes", "CISA AA22-264A"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1036.005", "T1036", "T1003", "T1595"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Monitor for Unauthorized Software", "XMRig", "SamSam Ransomware", "Unusual Processes", "CISA AA22-264A"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Reconnaissance"], "mitre_attack": ["T1036.005", "T1036", "T1003", "T1595"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -17286,7 +17941,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic detects whether a process is attempting to add a certificate to the untrusted certificate store, which might result in security tools being disabled. The detection is made by focusing on process activities and command-line arguments that are related to the 'certutil -addstore' command. This detection is important because it helps to identify attackers who might add a certificate to the untrusted certificate store to disable security tools and gain unauthorized access to a system. False positives might occur since legitimate reasons might exist for a process to add a certificate to the untrusted certificate store, such as system administration tasks. Next steps include conducting an extensive triage and investigation prior to taking any action. Additionally, you must understand the importance of trust and its subversion in system security. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1553.004", "T1553"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.004", "T1553"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects whether a process is attempting to add a certificate to the untrusted certificate store, which might result in security tools being disabled. The detection is made by focusing on process activities and command-line arguments that are related to the 'certutil -addstore' command. This detection is important because it helps to identify attackers who might add a certificate to the untrusted certificate store to disable security tools and gain unauthorized access to a system. False positives might occur since legitimate reasons might exist for a process to add a certificate to the untrusted certificate store, such as system administration tasks. Next steps include conducting an extensive triage and investigation prior to taking any action. Additionally, you must understand the importance of trust and its subversion in system security. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -17309,7 +17964,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Attempt To Add Certificate To Untrusted Store - Rule -action.correlationsearch.annotations = {"analytic_story": ["Disabling Security Tools"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "mitre_attack": ["T1553.004", "T1553"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Disabling Security Tools"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.004", "T1553"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -17332,7 +17987,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic detects attempts to stop security-related services on the endpoint and helps to mitigate potential threats earlier, thereby minimizing the impact on the organization's security. The detection is made by using a Splunk query that searches for processes that involve the "sc.exe" command and include the phrase "stop" in their command. The query collects information such as the process name, process ID, parent process, user, destination, and timestamps. The detection is important because attempts to stop security-related services can indicate malicious activity or an attacker's attempt to disable security measures. This can impact the organization's security posture and can lead to the compromise of the endpoint and potentially the entire network. Disabling security services can allow attackers to gain unauthorized access, exfiltrate sensitive data, or launch further attacks, such as malware installation or privilege escalation. False positives might occur since there might be legitimate reasons for stopping these services in certain situations. Therefore, you must exercise caution and consider the context of the activity before taking any action. Next steps include reviewing the identified process and its associated details. You must also investigate any on-disk artifacts related to the process and review concurrent processes to determine the source of the attack. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects attempts to stop security-related services on the endpoint and helps to mitigate potential threats earlier, thereby minimizing the impact on the organization's security. The detection is made by using a Splunk query that searches for processes that involve the "sc.exe" command and include the phrase "stop" in their command. The query collects information such as the process name, process ID, parent process, user, destination, and timestamps. The detection is important because attempts to stop security-related services can indicate malicious activity or an attacker's attempt to disable security measures. This can impact the organization's security posture and can lead to the compromise of the endpoint and potentially the entire network. Disabling security services can allow attackers to gain unauthorized access, exfiltrate sensitive data, or launch further attacks, such as malware installation or privilege escalation. False positives might occur since there might be legitimate reasons for stopping these services in certain situations. Therefore, you must exercise caution and consider the context of the activity before taking any action. Next steps include reviewing the identified process and its associated details. You must also investigate any on-disk artifacts related to the process and review concurrent processes to determine the source of the attack. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -17355,7 +18010,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Attempt To Stop Security Service - Rule -action.correlationsearch.annotations = {"analytic_story": ["WhisperGate", "Graceful Wipe Out Attack", "Disabling Security Tools", "Data Destruction", "Azorult", "Trickbot"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["WhisperGate", "Graceful Wipe Out Attack", "Disabling Security Tools", "Data Destruction", "Azorult", "Trickbot"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -17378,7 +18033,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as action.escu = 0 action.escu.enabled = 1 description = Monitor for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Monitor for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -17401,7 +18056,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Attempted Credential Dump From Registry via Reg exe - Rule -action.correlationsearch.annotations = {"analytic_story": ["Industroyer2", "Windows Registry Abuse", "Credential Dumping", "CISA AA23-347A", "DarkSide Ransomware", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Industroyer2", "Windows Registry Abuse", "Credential Dumping", "CISA AA23-347A", "DarkSide Ransomware", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -17424,7 +18079,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -17447,7 +18102,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Auto Admin Logon Registry Entry - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackMatter Ransomware", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["BlackMatter Ransomware", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -17470,7 +18125,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = The search looks for a batch file (.bat) written to the Windows system directory tree. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks for a batch file (.bat) written to the Windows system directory tree. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. @@ -17493,7 +18148,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Batch File Write to System32 - Rule -action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -17516,7 +18171,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious bcdedit commandline to configure the host from safe mode back to normal boot configuration. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious bcdedit commandline to configure the host from safe mode back to normal boot configuration. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -17539,7 +18194,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Bcdedit Command Back To Normal Mode Boot - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackMatter Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["BlackMatter Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -17562,7 +18217,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search looks for flags passed to bcdedit.exe modifications to the built-in Windows error recovery boot configurations. This is typically used by ransomware to prevent recovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for flags passed to bcdedit.exe modifications to the built-in Windows error recovery boot configurations. This is typically used by ransomware to prevent recovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -17585,7 +18240,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - BCDEdit Failure Recovery Modification - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ryuk Ransomware", "Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ryuk Ransomware", "Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -17608,7 +18263,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint. The query identifies the parameters used to create, resume or add a file to a BITS job. Typically seen combined in a oneliner or ran in sequence. If identified, review the BITS job created and capture any files written to disk. It is possible for BITS to be used to upload files and this may require further network data analysis to identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1197"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1197"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint. The query identifies the parameters used to create, resume or add a file to a BITS job. Typically seen combined in a oneliner or ran in sequence. If identified, review the BITS job created and capture any files written to disk. It is possible for BITS to be used to upload files and this may require further network data analysis to identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -17631,7 +18286,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - BITS Job Persistence - Rule -action.correlationsearch.annotations = {"analytic_story": ["BITS Jobs", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1197"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["BITS Jobs", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1197"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -17654,7 +18309,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote object. In addition, look for `download` or `upload` on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from `bitsadmin.exe`, but the artifacts will appear in a parallel process of `svchost.exe` with a command-line similar to `svchost.exe -k netsvcs -s BITS`. It's important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1197", "T1105"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation", "Command and Control"], "mitre_attack": ["T1197", "T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote object. In addition, look for `download` or `upload` on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from `bitsadmin.exe`, but the artifacts will appear in a parallel process of `svchost.exe` with a command-line similar to `svchost.exe -k netsvcs -s BITS`. It's important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -17677,7 +18332,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - BITSAdmin Download File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer", "BITS Jobs", "DarkSide Ransomware", "Living Off The Land", "Flax Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1197", "T1105"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer", "BITS Jobs", "DarkSide Ransomware", "Living Off The Land", "Flax Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation", "Command and Control"], "mitre_attack": ["T1197", "T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -17700,7 +18355,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = Certutil.exe may download a file from a remote destination using `-urlcache`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. However, it is uncommon for `certutil.exe` to write files to world writeable paths.\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Certutil.exe may download a file from a remote destination using `-urlcache`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. However, it is uncommon for `certutil.exe` to write files to world writeable paths.\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -17723,7 +18378,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - CertUtil Download With URLCache and Split Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer", "DarkSide Ransomware", "Living Off The Land", "ProxyNotShell", "CISA AA22-277A", "Flax Typhoon", "Forest Blizzard"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer", "DarkSide Ransomware", "Living Off The Land", "ProxyNotShell", "CISA AA22-277A", "Flax Typhoon", "Forest Blizzard"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -17746,7 +18401,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = Certutil.exe may download a file from a remote destination using `-VerifyCtl`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. \ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using `-VerifyCtl`, the file will either be written to the current working directory or `%APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\`. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Certutil.exe may download a file from a remote destination using `-VerifyCtl`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. \ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using `-VerifyCtl`, the file will either be written to the current working directory or `%APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\`. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -17769,7 +18424,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer", "DarkSide Ransomware", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer", "DarkSide Ransomware", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -17838,7 +18493,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = CertUtil.exe may be used to `encode` and `decode` a file, including PE and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` tags. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - `encodehex` and `decodehex`. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1140"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1140"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = CertUtil.exe may be used to `encode` and `decode` a file, including PE and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` tags. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - `encodehex` and `decodehex`. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -17861,7 +18516,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - CertUtil With Decode Argument - Rule -action.correlationsearch.annotations = {"analytic_story": ["Deobfuscate-Decode Files or Information", "Living Off The Land", "Forest Blizzard"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "mitre_attack": ["T1140"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Deobfuscate-Decode Files or Information", "Living Off The Land", "Forest Blizzard"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1140"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -17884,7 +18539,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is developed to detect suspicious registry modification to change the default file association of windows to malicious payload. This technique was seen in some APT where it modify the default process to run file association, like .txt to notepad.exe. Instead notepad.exe it will point to a Script or other payload that will load malicious commands to the compromised host. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.001", "T1546"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.001", "T1546"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is developed to detect suspicious registry modification to change the default file association of windows to malicious payload. This technique was seen in some APT where it modify the default process to run file association, like .txt to notepad.exe. Instead notepad.exe it will point to a Script or other payload that will load malicious commands to the compromised host. action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. @@ -17907,7 +18562,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Change Default File Association - Rule -action.correlationsearch.annotations = {"analytic_story": ["Hermetic Wiper", "Windows Registry Abuse", "Prestige Ransomware", "Windows Privilege Escalation", "Windows Persistence Techniques", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1546.001", "T1546"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Hermetic Wiper", "Windows Registry Abuse", "Prestige Ransomware", "Windows Privilege Escalation", "Windows Persistence Techniques", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.001", "T1546"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -17930,7 +18585,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTim action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious bcdedit commandline to configure the host to boot in safe mode with network config. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious bcdedit commandline to configure the host to boot in safe mode with network config. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -17953,7 +18608,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Change To Safe Mode With Network Config - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackMatter Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["BlackMatter Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -17976,7 +18631,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search is to detect execution of chcp.exe application. this utility is used to change the active code page of the console. This technique was seen in icedid malware to know the locale region/language/country of the compromise host. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect execution of chcp.exe application. this utility is used to change the active code page of the console. This technique was seen in icedid malware to know the locale region/language/country of the compromise host. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -17999,7 +18654,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - CHCP Command Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Azorult", "Forest Blizzard"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1059"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Azorult", "Forest Blizzard"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -18022,7 +18677,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious whoami execution to check if the cmd or shell instance process is with elevated privileges. This technique was seen in FIN7 js implant where it execute this as part of its data collection to the infected machine to check if the running shell cmd process is elevated or not. This TTP is really a good alert for known attacker that recon on the targetted host. This command is not so commonly executed by a normal user or even an admin to check if a process is elevated. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1033"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious whoami execution to check if the cmd or shell instance process is with elevated privileges. This technique was seen in FIN7 js implant where it execute this as part of its data collection to the infected machine to check if the running shell cmd process is elevated or not. This TTP is really a good alert for known attacker that recon on the targetted host. This command is not so commonly executed by a normal user or even an admin to check if a process is elevated. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -18045,7 +18700,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Check Elevated CMD using whoami - Rule -action.correlationsearch.annotations = {"analytic_story": ["FIN7"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1033"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["FIN7"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -18068,7 +18723,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for child processes of spoolsv.exe. This activity is associated with a POC privilege-escalation exploit associated with CVE-2018-8440. Spoolsv.exe is the process associated with the Print Spooler service in Windows and typically runs as SYSTEM. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for child processes of spoolsv.exe. This activity is associated with a POC privilege-escalation exploit associated with CVE-2018-8440. Spoolsv.exe is the process associated with the Print Spooler service in Windows and typically runs as SYSTEM. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -18091,7 +18746,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Child Processes of Spoolsv exe - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2018-8440"], "impact": 50, "mitre_attack": ["T1068"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2018-8440"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -18114,7 +18769,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = this search is to detect execution of `cipher.exe` to clear the unallocated sectors of a specific disk. This technique was seen in some ransomware to make it impossible to forensically recover deleted files. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = this search is to detect execution of `cipher.exe` to clear the unallocated sectors of a specific disk. This technique was seen in some ransomware to make it impossible to forensically recover deleted files. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -18137,7 +18792,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Clear Unallocated Sector Using Cipher App - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -18160,7 +18815,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytics are designed to identifies some CLOP ransomware variant that using arguments to execute its main code or feature of its code. In this variant if the parameter is "runrun", CLOP ransomware will try to encrypt files in network shares and if it is "temp.dat", it will try to read from some stream pipe or file start encrypting files within the infected local machines. This technique can be also identified as an anti-sandbox technique to make its code non-responsive since it is waiting for some parameter to execute properly. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytics are designed to identifies some CLOP ransomware variant that using arguments to execute its main code or feature of its code. In this variant if the parameter is "runrun", CLOP ransomware will try to encrypt files in network shares and if it is "temp.dat", it will try to read from some stream pipe or file start encrypting files within the infected local machines. This technique can be also identified as an anti-sandbox technique to make its code non-responsive since it is waiting for some parameter to execute properly. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -18183,7 +18838,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Clop Common Exec Parameter - Rule -action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "mitre_attack": ["T1204"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -18206,7 +18861,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This detection is to identify the common service name created by the CLOP ransomware as part of its persistence and high privilege code execution in the infected machine. Ussually CLOP ransomware use StartServiceCtrlDispatcherW API in creating this service entry. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This detection is to identify the common service name created by the CLOP ransomware as part of its persistence and high privilege code execution in the infected machine. Ussually CLOP ransomware use StartServiceCtrlDispatcherW API in creating this service entry. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. @@ -18229,7 +18884,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Clop Ransomware Known Service Name - Rule -action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "mitre_attack": ["T1543"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -18252,7 +18907,7 @@ search = `wineventlog_system` EventCode=7045 Service_Name IN ("SecurityCenterIBM action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -18270,7 +18925,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - CMD Carry Out String Command Parameter - Rule -action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Winter Vivern", "WhisperGate", "Living Off The Land", "DarkGate Malware", "ProxyNotShell", "Log4Shell CVE-2021-44228", "NjRAT", "RedLine Stealer", "Rhysida Ransomware", "IcedID", "Chaos Ransomware", "PlugX", "Azorult", "Qakbot", "Hermetic Wiper", "Warzone RAT", "DarkCrystal RAT", "CISA AA23-347A", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-44228"], "impact": 60, "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Winter Vivern", "WhisperGate", "Living Off The Land", "DarkGate Malware", "ProxyNotShell", "Log4Shell CVE-2021-44228", "NjRAT", "RedLine Stealer", "Rhysida Ransomware", "IcedID", "Chaos Ransomware", "PlugX", "Azorult", "Qakbot", "Hermetic Wiper", "Warzone RAT", "DarkCrystal RAT", "CISA AA23-347A", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-44228"], "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -18287,7 +18942,7 @@ search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_ action.escu = 0 action.escu.enabled = 1 description = This analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via `jump` (Cobalt Strike PTH) or `getsystem`, using named-pipe impersonation. A suspicious event will look like `cmd.exe /c echo 4sgryt3436 > \\.\Pipe\5erg53`. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.003", "T1543.003", "T1543"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1059", "T1059.003", "T1543.003", "T1543"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via `jump` (Cobalt Strike PTH) or `getsystem`, using named-pipe impersonation. A suspicious event will look like `cmd.exe /c echo 4sgryt3436 > \\.\Pipe\5erg53`. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -18310,7 +18965,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - CMD Echo Pipe - Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1059", "T1059.003", "T1543.003", "T1543"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1059", "T1059.003", "T1543.003", "T1543"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -18333,7 +18988,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -18356,7 +19011,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Cmdline Tool Not Executed In CMD Shell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Volt Typhoon", "Rhysida Ransomware", "FIN7", "DarkGate Malware", "Qakbot", "CISA AA22-277A", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Volt Typhoon", "Rhysida Ransomware", "FIN7", "DarkGate Malware", "Qakbot", "CISA AA22-277A", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -18379,7 +19034,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic detects a potential process using COM Object like CMLUA or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative privileges to its running process. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects a potential process using COM Object like CMLUA or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative privileges to its running process. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -18402,7 +19057,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "Ransomware", "LockBit Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "Ransomware", "LockBit Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -18426,7 +19081,7 @@ action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of default or publicly known named pipes used with Cobalt Strike. A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. Cobalt Strike uses named pipes in many ways and has default values used with the Artifact Kit and Malleable C2 Profiles. The following query assists with identifying these default named pipes. Each EDR product presents named pipes a little different. Consider taking the values and generating a query based on the product of choice. \ Upon triage, review the process performing the named pipe. If it is explorer.exe, It is possible it was injected into by another process. Review recent parallel processes to identify suspicious patterns or behaviors. A parallel process may have a network connection, review and follow the connection back to identify any file modifications. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the use of default or publicly known named pipes used with Cobalt Strike. A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. Cobalt Strike uses named pipes in many ways and has default values used with the Artifact Kit and Malleable C2 Profiles. The following query assists with identifying these default named pipes. Each EDR product presents named pipes a little different. Consider taking the values and generating a query based on the product of choice. \ Upon triage, review the process performing the named pipe. If it is explorer.exe, It is possible it was injected into by another process. Review recent parallel processes to identify suspicious patterns or behaviors. A parallel process may have a network connection, review and follow the connection back to identify any file modifications. @@ -18450,7 +19105,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Cobalt Strike Named Pipes - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trickbot", "DarkSide Ransomware", "Cobalt Strike", "BlackByte Ransomware", "Graceful Wipe Out Attack", "LockBit Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Trickbot", "DarkSide Ransomware", "Cobalt Strike", "BlackByte Ransomware", "Graceful Wipe Out Attack", "LockBit Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -18474,7 +19129,7 @@ search = `sysmon` EventID=17 OR EventID=18 PipeName IN (\\msagent_*, \\DserNameP action.escu = 0 action.escu.enabled = 1 description = The following analytic detects Searches for file modifications that commonly occur with Ransomware to detect modifications to files with extensions that are commonly used by Ransomware. The detection is made by searches for changes in the datamodel=Endpoint.Filesystem, specifically modifications to file extensions that match those commonly used by Ransomware. The detection is important because it suggests that an attacker is attempting to encrypt or otherwise modify files in the environment using malware, potentially leading to data loss that can cause significant damage to an organization's data and systems. False positives might occur so the SOC must investigate the affected system to determine the source of the modification and take appropriate action to contain and remediate the attack. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects Searches for file modifications that commonly occur with Ransomware to detect modifications to files with extensions that are commonly used by Ransomware. The detection is made by searches for changes in the datamodel=Endpoint.Filesystem, specifically modifications to file extensions that match those commonly used by Ransomware. The detection is important because it suggests that an attacker is attempting to encrypt or otherwise modify files in the environment using malware, potentially leading to data loss that can cause significant damage to an organization's data and systems. False positives might occur so the SOC must investigate the affected system to determine the source of the modification and take appropriate action to contain and remediate the attack. action.escu.how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data model node. To see the additional metadata, add the following fields, if not already present, please review the detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` @@ -18492,7 +19147,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Common Ransomware Extensions - Rule -action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware", "Ryuk Ransomware", "Ransomware", "Clop Ransomware", "Prestige Ransomware", "LockBit Ransomware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "mitre_attack": ["T1485"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware", "Ryuk Ransomware", "Ransomware", "Clop Ransomware", "Prestige Ransomware", "LockBit Ransomware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -18509,7 +19164,7 @@ search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_ action.escu = 0 action.escu.enabled = 1 description = The search looks for files created with names matching those typically used in ransomware notes that tell the victim how to get their data back. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks for files created with names matching those typically used in ransomware notes that tell the victim how to get their data back. action.escu.how_to_implement = You must be ingesting data that records file-system activity from your hosts to populate the Endpoint Filesystem data-model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes. @@ -18527,7 +19182,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Common Ransomware Notes - Rule -action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware", "Ransomware", "Ryuk Ransomware", "Clop Ransomware", "Chaos Ransomware", "LockBit Ransomware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "mitre_attack": ["T1485"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware", "Ransomware", "Ryuk Ransomware", "Clop Ransomware", "Chaos Ransomware", "LockBit Ransomware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -18544,7 +19199,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search detects the suspicious commandline argument of revil ransomware to encrypt specific or all local drive and network shares of the compromised machine or host. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search detects the suspicious commandline argument of revil ransomware to encrypt specific or all local drive and network shares of the compromised machine or host. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -18567,7 +19222,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Conti Common Exec parameter - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1204"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -18590,7 +19245,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following detection identifies control.exe loading either a .cpl or .inf from a writable directory. This is related to CVE-2021-40444. During triage, review parallel processes, parent and child, for further suspicious behaviors. In addition, capture file modifications and analyze. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following detection identifies control.exe loading either a .cpl or .inf from a writable directory. This is related to CVE-2021-40444. During triage, review parallel processes, parent and child, for further suspicious behaviors. In addition, capture file modifications and analyze. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -18613,7 +19268,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Control Loading from World Writable Directory - Rule -action.correlationsearch.annotations = {"analytic_story": ["Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-40444"], "impact": 80, "mitre_attack": ["T1218", "T1218.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-40444"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -18636,7 +19291,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of local administrator accounts using the net.exe command to mitigate the risks associated with unauthorized access and prevent further damage to the environment by responding to potential threats earlier and taking appropriate actions to protect the organization's systems and data. This detection is made by a Splunk query to search for processes with the name net.exe or net1.exe that include the "/add" parameter and have specific keywords related to administrator accounts in their process name. This detection is important because the creation of unauthorized local administrator accounts might indicate that an attacker has successfully created a new administrator account and is trying to gain persistent access to a system or escalate their privileges for data theft, or other malicious activities. False positives might occur since there might be legitimate uses of the net.exe command and the creation of administrator accounts in certain circumstances. You must consider the context of the activity and other indicators of compromise before taking any action. For next steps, review the details of the identified process, including the user, parent process, and parent process name. Examine any relevant on-disk artifacts and look for concurrent processes to determine the source of the attack. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the creation of local administrator accounts using the net.exe command to mitigate the risks associated with unauthorized access and prevent further damage to the environment by responding to potential threats earlier and taking appropriate actions to protect the organization's systems and data. This detection is made by a Splunk query to search for processes with the name net.exe or net1.exe that include the "/add" parameter and have specific keywords related to administrator accounts in their process name. This detection is important because the creation of unauthorized local administrator accounts might indicate that an attacker has successfully created a new administrator account and is trying to gain persistent access to a system or escalate their privileges for data theft, or other malicious activities. False positives might occur since there might be legitimate uses of the net.exe command and the creation of administrator accounts in certain circumstances. You must consider the context of the activity and other indicators of compromise before taking any action. For next steps, review the details of the identified process, including the user, parent process, and parent process name. Examine any relevant on-disk artifacts and look for concurrent processes to determine the source of the attack. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -18659,7 +19314,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Create local admin accounts using net exe - Rule -action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A", "Azorult", "CISA AA22-257A", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A", "Azorult", "CISA AA22-257A", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -18682,7 +19337,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.user) action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation or deletion of hidden shares using the net.exe command for prompt response and mitigation to enhance the overall security posture of the organization and protect against potential data breaches, malware infections, and other damaging outcomes. This detection is made by searching for processes that involve the use of net.exe and filters for actions related to creation or deletion of shares. This detection is important because it suggests that an attacker is attempting to manipulate or exploit the network by creating or deleting hidden shares. The creation or deletion of hidden shares can indicate malicious activity since attackers might use hidden shares to exfiltrate data, distribute malware, or establish persistence within a network. The impact of such an attack can vary, but it often involves unauthorized access to sensitive information, disruption of services, or the introduction of malware. False positives might occur since legitimate actions can also involve the use of net.exe. An extensive triage and investigation is necessary to determine the intent and nature of the detected activity. Next steps include reviewing the details of the process involving the net.exe command, including the user, parent process, and timestamps during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1070", "T1070.005"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the creation or deletion of hidden shares using the net.exe command for prompt response and mitigation to enhance the overall security posture of the organization and protect against potential data breaches, malware infections, and other damaging outcomes. This detection is made by searching for processes that involve the use of net.exe and filters for actions related to creation or deletion of shares. This detection is important because it suggests that an attacker is attempting to manipulate or exploit the network by creating or deleting hidden shares. The creation or deletion of hidden shares can indicate malicious activity since attackers might use hidden shares to exfiltrate data, distribute malware, or establish persistence within a network. The impact of such an attack can vary, but it often involves unauthorized access to sensitive information, disruption of services, or the introduction of malware. False positives might occur since legitimate actions can also involve the use of net.exe. An extensive triage and investigation is necessary to determine the intent and nature of the detected activity. Next steps include reviewing the details of the process involving the net.exe command, including the user, parent process, and timestamps during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -18705,7 +19360,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Create or delete windows shares using net exe - Rule -action.correlationsearch.annotations = {"analytic_story": ["Hidden Cobra Malware", "CISA AA22-277A", "Windows Post-Exploitation", "Prestige Ransomware", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1070", "T1070.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Hidden Cobra Malware", "CISA AA22-277A", "Windows Post-Exploitation", "Prestige Ransomware", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -18728,7 +19383,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.user) action.escu = 0 action.escu.enabled = 1 description = This search is to detect suspicious process injection in command shell. This technique was seen in IcedID where it execute cmd.exe process to inject its shellcode as part of its execution as banking trojan. It is really uncommon to have a create remote thread execution in the following application. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect suspicious process injection in command shell. This technique was seen in IcedID where it execute cmd.exe process to inject its shellcode as part of its execution as banking trojan. It is really uncommon to have a create remote thread execution in the following application. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -18751,7 +19406,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Create Remote Thread In Shell Application - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Qakbot", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Qakbot", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -18774,7 +19429,7 @@ search = `sysmon` EventCode=8 TargetImage IN ("*\\cmd.exe", "*\\powershell*") | action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS), which is a common tactic used by adversaries to steal user authentication credentials, known as credential dumping. The detection is made by leveraging Sysmon Event ID 8 logs and searches for processes that create remote threads in lsass.exe. This is an unusual activity that is generally linked to credential theft or credential dumping, which is a significant threat to network security. The detection is important because it helps to detect potential credential dumping attacks, which can result in significant damage to an organization's security. False positives might occur though the confidence level of this alert is high. There might be cases where legitimate tools can access LSASS and generate similar logs. Therefore, you must understand the broader context of such events and differentiate between legitimate activities and possible threats. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS), which is a common tactic used by adversaries to steal user authentication credentials, known as credential dumping. The detection is made by leveraging Sysmon Event ID 8 logs and searches for processes that create remote threads in lsass.exe. This is an unusual activity that is generally linked to credential theft or credential dumping, which is a significant threat to network security. The detection is important because it helps to detect potential credential dumping attacks, which can result in significant damage to an organization's security. False positives might occur though the confidence level of this alert is high. There might be cases where legitimate tools can access LSASS and generate similar logs. Therefore, you must understand the broader context of such events and differentiate between legitimate activities and possible threats. action.escu.how_to_implement = This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. @@ -18797,7 +19452,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Create Remote Thread into LSASS - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -18820,7 +19475,7 @@ search = `sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as f action.escu = 0 action.escu.enabled = 1 description = Detect the hands on keyboard behavior of Windows Task Manager creating a process dump of lsass.exe. Upon this behavior occurring, a file write/modification will occur in the users profile under \AppData\Local\Temp. The dump file, lsass.dmp, cannot be renamed, however if the dump occurs more than once, it will be named lsass (2).dmp. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = Detect the hands on keyboard behavior of Windows Task Manager creating a process dump of lsass.exe. Upon this behavior occurring, a file write/modification will occur in the users profile under \AppData\Local\Temp. The dump file, lsass.dmp, cannot be renamed, however if the dump occurs more than once, it will be named lsass (2).dmp. action.escu.how_to_implement = This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 11 for detecting file create of lsass.dmp. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. @@ -18843,7 +19498,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Creation of lsass Dump with Taskmgr - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "CISA AA22-257A"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "CISA AA22-257A"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -18866,7 +19521,7 @@ search = `sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp action.escu = 0 action.escu.enabled = 1 description = Monitor for signs that Vssadmin or Wmic has been used to create a shadow copy. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Monitor for signs that Vssadmin or Wmic has been used to create a shadow copy. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -18889,7 +19544,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Creation of Shadow Copy - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -18912,7 +19567,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the use of two specific tools, wmic and Powershell, to create a shadow copy to identify potential threats earlier and take appropriate actions to mitigate the risks. This detection is made by a Splunk query that searches for processes in the Endpoint.Processes data model where either the process name contains "wmic" or "Powershell" and the process command contains "shadowcopy" and "create". This detection is important because it suggests that an attacker is attempting to manipulate or access data in an unauthorized manner, which can lead to data theft, data manipulation, or other malicious activities. Attackers might use shadow copies to backup and exfiltrate sensitive data or to hide their tracks by restoring files to a previous state after an attack. Next steps include reviewing the user associated with the process, the process name, the original file name, the process command, and the destination of the process. Additionally, examine any relevant on-disk artifacts and review other concurrent processes to determine the source of the attack. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the use of two specific tools, wmic and Powershell, to create a shadow copy to identify potential threats earlier and take appropriate actions to mitigate the risks. This detection is made by a Splunk query that searches for processes in the Endpoint.Processes data model where either the process name contains "wmic" or "Powershell" and the process command contains "shadowcopy" and "create". This detection is important because it suggests that an attacker is attempting to manipulate or access data in an unauthorized manner, which can lead to data theft, data manipulation, or other malicious activities. Attackers might use shadow copies to backup and exfiltrate sensitive data or to hide their tracks by restoring files to a previous state after an attack. Next steps include reviewing the user associated with the process, the process name, the original file name, the process command, and the destination of the process. Additionally, examine any relevant on-disk artifacts and review other concurrent processes to determine the source of the attack. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -18935,7 +19590,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Creation of Shadow Copy with wmic and powershell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Living Off The Land", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Living Off The Land", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -18958,7 +19613,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the use of the copy command to dump credentials from a shadow copy so that you can detect potential threats earlier and mitigate the risks associated with credential dumping. The detection is made by using a Splunk query to search for specific processes that indicate credential dumping activity. The query looks for processes with command lines that include references to certain files, such as "sam", "security", "system", and "ntds.dit", located in system directories like "system32" or "windows". The detection is important because it suggests that an attacker is attempting to extract credentials from a shadow copy. Credential dumping is a common technique used by attackers to obtain sensitive login information and gain unauthorized access to systems to escalate privileges, move laterally within the network, or gain unauthorized access to sensitive data. False positives might occur since legitimate processes might also reference these files. During triage, it is crucial to review the process details, including the source and the command that is run. Additionally, you must capture and analyze any relevant on-disk artifacts and investigate concurrent processes to determine the source of the attack -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the use of the copy command to dump credentials from a shadow copy so that you can detect potential threats earlier and mitigate the risks associated with credential dumping. The detection is made by using a Splunk query to search for specific processes that indicate credential dumping activity. The query looks for processes with command lines that include references to certain files, such as "sam", "security", "system", and "ntds.dit", located in system directories like "system32" or "windows". The detection is important because it suggests that an attacker is attempting to extract credentials from a shadow copy. Credential dumping is a common technique used by attackers to obtain sensitive login information and gain unauthorized access to systems to escalate privileges, move laterally within the network, or gain unauthorized access to sensitive data. False positives might occur since legitimate processes might also reference these files. During triage, it is crucial to review the process details, including the source and the command that is run. Additionally, you must capture and analyze any relevant on-disk artifacts and investigate concurrent processes to determine the source of the attack action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -18981,7 +19636,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Credential Dumping via Copy Command from Shadow Copy - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -19004,7 +19659,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of a symlink to a shadow copy to identify potential threats earlier and mitigate the risks associated with symlink creation to shadow copies. The detection is made by using a Splunk query that searches for processes with commands containing "mklink" and "HarddiskVolumeShadowCopy". This analytic retrieves information such as the destination, user, process name, process ID, parent process, original file name, and parent process ID from the Endpoint.Processes data model. The detection is important because it indicates potential malicious activity since attackers might use this technique to manipulate or delete shadow copies, which are used for system backup and recovery. This detection helps to determine if an attacker is attempting to cover their tracks or prevent data recovery in the event of an incident. The impact of such an attack can be significant since it can hinder incident response efforts, prevent data restoration, and potentially lead to data loss or compromise. Next steps include reviewing the details of the process, such as the destination and the user responsible for creating the symlink. Additionally, you must examine the parent process, any relevant on-disk artifacts, and concurrent processes to identify the source of the attack. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the creation of a symlink to a shadow copy to identify potential threats earlier and mitigate the risks associated with symlink creation to shadow copies. The detection is made by using a Splunk query that searches for processes with commands containing "mklink" and "HarddiskVolumeShadowCopy". This analytic retrieves information such as the destination, user, process name, process ID, parent process, original file name, and parent process ID from the Endpoint.Processes data model. The detection is important because it indicates potential malicious activity since attackers might use this technique to manipulate or delete shadow copies, which are used for system backup and recovery. This detection helps to determine if an attacker is attempting to cover their tracks or prevent data recovery in the event of an incident. The impact of such an attack can be significant since it can hinder incident response efforts, prevent data restoration, and potentially lead to data loss or compromise. Next steps include reviewing the details of the process, such as the destination and the user responsible for creating the symlink. Additionally, you must examine the parent process, any relevant on-disk artifacts, and concurrent processes to identify the source of the attack. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -19027,7 +19682,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Credential Dumping via Symlink to Shadow Copy - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -19050,7 +19705,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = this analytic is to detect a suspicious compile before delivery approach of .net compiler csc.exe. This technique was seen in several adversaries, malware and even in red teams to take advantage the csc.exe .net compiler tool to compile on the fly a malicious .net code to evade detection from security product. This is a good hunting query to check further the file or process created after this event and check the file path that passed to csc.exe which is the .net code. Aside from that, powershell is capable of using this compiler in executing .net code in a powershell script so filter on that case is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1027.004", "T1027"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027.004", "T1027"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = this analytic is to detect a suspicious compile before delivery approach of .net compiler csc.exe. This technique was seen in several adversaries, malware and even in red teams to take advantage the csc.exe .net compiler tool to compile on the fly a malicious .net code to evade detection from security product. This is a good hunting query to check further the file or process created after this event and check the file path that passed to csc.exe which is the .net code. Aside from that, powershell is capable of using this compiler in executing .net code in a powershell script so filter on that case is needed. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -19068,7 +19723,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - CSC Net On The Fly Compilation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1027.004", "T1027"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027.004", "T1027"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -19085,7 +19740,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of curl on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of curl on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -19108,7 +19763,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Curl Download and Bash Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer", "Log4Shell CVE-2021-44228", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-44228"], "impact": 80, "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer", "Log4Shell CVE-2021-44228", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-44228"], "impact": 80, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -19131,7 +19786,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This following analytic detects PowerShell command to delete shadow copy using the WMIC PowerShell module. This technique was seen used by a recent adversary to deploy DarkSide Ransomware where it executed a child process of PowerShell to execute a hex encoded command to delete shadow copy. This hex encoded command was able to be decrypted by PowerShell log. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This following analytic detects PowerShell command to delete shadow copy using the WMIC PowerShell module. This technique was seen used by a recent adversary to deploy DarkSide Ransomware where it executed a child process of PowerShell to execute a hex encoded command to delete shadow copy. This hex encoded command was able to be decrypted by PowerShell log. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. @@ -19154,7 +19809,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Delete ShadowCopy With PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "Ransomware", "Revil Ransomware", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "Ransomware", "Revil Ransomware", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -19177,7 +19832,7 @@ search = `powershell` EventCode=4104 ScriptBlockText= "*ShadowCopy*" (ScriptBloc action.escu = 0 action.escu.enabled = 1 description = This analytic will detect a suspicious net.exe/net1.exe command-line to delete a user on a system. This technique may be use by an administrator for legitimate purposes, however this behavior has been used in the wild to impair some user or deleting adversaries tracks created during its lateral movement additional systems. During triage, review parallel processes for additional behavior. Identify any other user accounts created before or after. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1531"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic will detect a suspicious net.exe/net1.exe command-line to delete a user on a system. This technique may be use by an administrator for legitimate purposes, however this behavior has been used in the wild to impair some user or deleting adversaries tracks created during its lateral movement additional systems. During triage, review parallel processes for additional behavior. Identify any other user accounts created before or after. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -19200,7 +19855,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deleting Of Net Users - Rule -action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Graceful Wipe Out Attack", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1531"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Graceful Wipe Out Attack", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -19223,7 +19878,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as action.escu = 0 action.escu.enabled = 1 description = The vssadmin.exe utility is used to interact with the Volume Shadow Copy Service. Wmic is an interface to the Windows Management Instrumentation. This search looks for either of these tools being used to delete shadow copies. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The vssadmin.exe utility is used to interact with the Volume Shadow Copy Service. Wmic is an interface to the Windows Management Instrumentation. This search looks for either of these tools being used to delete shadow copies. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -19246,7 +19901,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deleting Shadow Copies - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Log Manipulation", "SamSam Ransomware", "Ransomware", "Clop Ransomware", "CISA AA22-264A", "Prestige Ransomware", "Chaos Ransomware", "LockBit Ransomware", "DarkGate Malware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Log Manipulation", "SamSam Ransomware", "Ransomware", "Clop Ransomware", "CISA AA22-264A", "Prestige Ransomware", "Chaos Ransomware", "LockBit Ransomware", "DarkGate Malware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -19269,7 +19924,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the common command-line argument used by AzureHound `Invoke-AzureHound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the common command-line argument used by AzureHound `Invoke-AzureHound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -19292,7 +19947,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect AzureHound Command-Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["Discovery Techniques"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Discovery Techniques"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -19315,7 +19970,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic is similar to SharpHound file modifications, but this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound equivilent but for Azure. It's possible this may never be seen in an environment as most attackers may execute this tool remotely. Once execution is complete, a zip file with a similar name will drop `20210601090751-azurecollection.zip`. In addition to the zip, multiple .json files will be written to disk, which are in the zip. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is similar to SharpHound file modifications, but this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound equivilent but for Azure. It's possible this may never be seen in an environment as most attackers may execute this tool remotely. Once execution is complete, a zip file with a similar name will drop `20210601090751-azurecollection.zip`. In addition to the zip, multiple .json files will be written to disk, which are in the zip. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. @@ -19338,7 +19993,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect AzureHound File Modifications - Rule -action.correlationsearch.annotations = {"analytic_story": ["Discovery Techniques"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Discovery Techniques"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -19361,7 +20016,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects a specific type of vulnerability known as a heap-based buffer overflow in the sudoedit command, commonly referred to as Baron Samedit CVE-2021-3156. The detection is made by a Splunk query that searches for instances of the sudoedit command with the "-s" flag followed by a double quote. This combination of parameters is indicative of the vulnerability being exploited. The detection is important because it suggests that an attacker is attempting to exploit the Baron Samedit vulnerability. The Baron Samedit vulnerability allows an attacker to gain elevated privileges on a Linux system and run arbitrary code with root privileges, potentially leading to complete control over the affected system. The impact of a successful attack can be severe since it allows the attacker to bypass security measures and gain unauthorized access to sensitive data or systems. This can result in data breaches, unauthorized modifications, or even complete system compromise. Next steps include being aware of this vulnerability and actively monitoring any attempts to exploit it. By detecting and responding to such attacks in a timely manner, you can prevent or minimize the potential damage caused by the heap-based buffer overflow of sudoedit. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects a specific type of vulnerability known as a heap-based buffer overflow in the sudoedit command, commonly referred to as Baron Samedit CVE-2021-3156. The detection is made by a Splunk query that searches for instances of the sudoedit command with the "-s" flag followed by a double quote. This combination of parameters is indicative of the vulnerability being exploited. The detection is important because it suggests that an attacker is attempting to exploit the Baron Samedit vulnerability. The Baron Samedit vulnerability allows an attacker to gain elevated privileges on a Linux system and run arbitrary code with root privileges, potentially leading to complete control over the affected system. The impact of a successful attack can be severe since it allows the attacker to bypass security measures and gain unauthorized access to sensitive data or systems. This can result in data breaches, unauthorized modifications, or even complete system compromise. Next steps include being aware of this vulnerability and actively monitoring any attempts to exploit it. By detecting and responding to such attacks in a timely manner, you can prevent or minimize the potential damage caused by the heap-based buffer overflow of sudoedit. action.escu.how_to_implement = Splunk Universal Forwarder running on Linux systems, capturing logs from the /var/log directory. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags. @@ -19384,7 +20039,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect Baron Samedit CVE-2021-3156 - Rule -action.correlationsearch.annotations = {"analytic_story": ["Baron Samedit CVE-2021-3156"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-3156"], "impact": 50, "mitre_attack": ["T1068"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Baron Samedit CVE-2021-3156"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-3156"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -19407,7 +20062,7 @@ search = `linux_hosts` "sudoedit -s \\" | `detect_baron_samedit_cve_2021_3156_fi action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the occurrence of a heap-based buffer overflow in sudoedit.The detection is made by using a Splunk query to identify Linux hosts where the terms "sudoedit" and "segfault" appear in the logs. The detection is important because the heap-based buffer overflow vulnerability in sudoedit can be exploited by attackers to gain elevated root privileges on a vulnerable system, which might lead to the compromise of sensitive data, unauthorized access, and other malicious activities. False positives might occur. Therefore, you must review the logs and investigate further before taking any action. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the occurrence of a heap-based buffer overflow in sudoedit.The detection is made by using a Splunk query to identify Linux hosts where the terms "sudoedit" and "segfault" appear in the logs. The detection is important because the heap-based buffer overflow vulnerability in sudoedit can be exploited by attackers to gain elevated root privileges on a vulnerable system, which might lead to the compromise of sensitive data, unauthorized access, and other malicious activities. False positives might occur. Therefore, you must review the logs and investigate further before taking any action. action.escu.how_to_implement = Splunk Universal Forwarder running on Linux systems (tested on Centos and Ubuntu), where segfaults are being logged. This also captures instances where the exploit has been compiled into a binary. The detection looks for greater than 5 instances of sudoedit combined with segfault over your search time period on a single host @@ -19430,7 +20085,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect Baron Samedit CVE-2021-3156 Segfault - Rule -action.correlationsearch.annotations = {"analytic_story": ["Baron Samedit CVE-2021-3156"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-3156"], "impact": 50, "mitre_attack": ["T1068"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Baron Samedit CVE-2021-3156"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-3156"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -19453,7 +20108,7 @@ search = `linux_hosts` TERM(sudoedit) TERM(segfault) | stats count min(_time) as action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the heap-based buffer overflow for the sudoedit command and identifies instances where the command "sudoedit -s *" is run using the osquery_process data source. This indicates that the sudoedit command is used with the "-s" flag, which is associated with the heap-based buffer overflow vulnerability. The detection is important because it indicates a potential security vulnerability, specifically Baron Samedit CVE-2021-3156, which helps to identify and respond to potential heap-based buffer overflow attacks to enhance the security posture of the organization. This vulnerability allows an attacker to escalate privileges and potentially gain unauthorized access to the system. If the attack is successful, the attacker can gain full control of the system, run arbitrary code, or access sensitive data. Such attacks can lead to data breaches, unauthorized access, and potential disruption of critical systems. False positives might occur since the legitimate use of the sudoedit command with the "-s" flag can also trigger this detection. You must carefully review and validate the findings before taking any action. Next steps include investigating all true positive detections promptly, reviewing the associated processes, gather relevant artifacts, identifying the source of the attack to contain the threat, mitigate the risks, and prevent further damage to the environment. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the heap-based buffer overflow for the sudoedit command and identifies instances where the command "sudoedit -s *" is run using the osquery_process data source. This indicates that the sudoedit command is used with the "-s" flag, which is associated with the heap-based buffer overflow vulnerability. The detection is important because it indicates a potential security vulnerability, specifically Baron Samedit CVE-2021-3156, which helps to identify and respond to potential heap-based buffer overflow attacks to enhance the security posture of the organization. This vulnerability allows an attacker to escalate privileges and potentially gain unauthorized access to the system. If the attack is successful, the attacker can gain full control of the system, run arbitrary code, or access sensitive data. Such attacks can lead to data breaches, unauthorized access, and potential disruption of critical systems. False positives might occur since the legitimate use of the sudoedit command with the "-s" flag can also trigger this detection. You must carefully review and validate the findings before taking any action. Next steps include investigating all true positive detections promptly, reviewing the associated processes, gather relevant artifacts, identifying the source of the attack to contain the threat, mitigate the risks, and prevent further damage to the environment. action.escu.how_to_implement = OSQuery installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags. @@ -19476,7 +20131,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect Baron Samedit CVE-2021-3156 via OSQuery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Baron Samedit CVE-2021-3156"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-3156"], "impact": 50, "mitre_attack": ["T1068"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Baron Samedit CVE-2021-3156"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-3156"], "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -19499,7 +20154,7 @@ search = `osquery_process` | search "columns.cmdline"="sudoedit -s \\*" | `detec action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies when the attacker tool Certify or Certipy are used to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments of these tools are similar and perform near identical enumeration or exploitation functions. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1649", "T1105"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Command and Control"], "mitre_attack": ["T1649", "T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies when the attacker tool Certify or Certipy are used to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments of these tools are similar and perform near identical enumeration or exploitation functions. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -19514,7 +20169,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["Windows Certificate Services", "Ingress Tool Transfer"] action.risk = 1 action.risk.param._risk_message = Certify/Certipy arguments detected on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"threat_object_field": "process_name", "threat_object_type": "process"}, {"threat_object_field": "process_name", "threat_object_type": "process name"}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"threat_object_field": "process_name", "threat_object_type": "process"}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -19522,7 +20177,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Certify Command Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services", "Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "mitre_attack": ["T1649", "T1105"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services", "Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation", "Command and Control"], "mitre_attack": ["T1649", "T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -19545,7 +20200,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies when the attacker tool Certify is used through an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments for the binary version of this tools are similar to PowerShell calls and perform near identical enumeration or exploitation functions. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1649", "T1059", "T1059.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1649", "T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies when the attacker tool Certify is used through an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments for the binary version of this tools are similar to PowerShell calls and perform near identical enumeration or exploitation functions. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.. @@ -19568,7 +20223,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Certify With PowerShell Script Block Logging - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services", "Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "mitre_attack": ["T1649", "T1059", "T1059.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services", "Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1649", "T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -19591,7 +20246,7 @@ search = `powershell` EventCode=4104 (ScriptBlockText IN ("*find *") AND ScriptB action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies when the attacker tool Certipy is used to enumerate Active Directory Certificate Services (AD CS) environments. The default behavior of this toolkit drops a number of file uniquely named files or file extensions related to it's information gathering and exfiltration process. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1649", "T1560"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649", "T1560"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies when the attacker tool Certipy is used to enumerate Active Directory Certificate Services (AD CS) environments. The default behavior of this toolkit drops a number of file uniquely named files or file extensions related to it's information gathering and exfiltration process. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints as well as file creation or deletion events. @@ -19606,7 +20261,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["Windows Certificate Services", "Data Exfiltration", "Ingress Tool Transfer"] action.risk = 1 action.risk.param._risk_message = Suspicious files $file_name$ related to Certipy detected on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"threat_object_field": "file_name", "threat_object_type": "file name"}, {"threat_object_field": "process_name", "threat_object_type": "process name"}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 45}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -19614,7 +20269,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Certipy File Modifications - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services", "Data Exfiltration", "Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "mitre_attack": ["T1649", "T1560"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services", "Data Exfiltration", "Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649", "T1560"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -19637,7 +20292,7 @@ search = | tstats `security_content_summariesonly` count min(_time) AS firstTime action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for Event Code 4742 (Computer Change) or EventCode 4624 (An account was successfully logged on) with an anonymous account. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for Event Code 4742 (Computer Change) or EventCode 4624 (An account was successfully logged on) with an anonymous account. action.escu.how_to_implement = This search requires audit computer account management to be enabled on the system in order to generate Event ID 4742. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. @@ -19655,7 +20310,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect Computer Changed with Anonymous Account - Rule -action.correlationsearch.annotations = {"analytic_story": ["Detect Zerologon Attack"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2020-1472"], "impact": 70, "mitre_attack": ["T1210"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Detect Zerologon Attack"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2020-1472"], "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -19674,7 +20329,7 @@ action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies `copy` or `[System.IO.File]::Copy` being used to capture the SAM, SYSTEM or SECURITY hives identified in script block. This will catch the most basic use cases for credentials being taken for offline cracking. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies `copy` or `[System.IO.File]::Copy` being used to capture the SAM, SYSTEM or SECURITY hives identified in script block. This will catch the most basic use cases for credentials being taken for offline cracking. \ @@ -19699,7 +20354,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Copy of ShadowCopy with Script Block Logging - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-36934"], "impact": 80, "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-36934"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -19724,7 +20379,7 @@ search = `powershell` EventCode=4104 Message IN ("*copy*","*[System.IO.File]::Co action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the reading of lsass memory, which is consistent with credential dumping. Reading lsass memory is a common technique used by attackers to steal credentials from the Windows operating system. The detection is made by monitoring the sysmon events and filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process helps identify potential instances of credential dumping.The detection is important because it suggests that an attacker is attempting to extract credentials from the lsass memory, which can lead to unauthorized access, data breaches, and compromise of sensitive information. Credential dumping is often a precursor to further attacks, such as lateral movement, privilege escalation, or data exfiltration. False positives can occur due to legitimate actions that involve accessing lsass memory. Therefore, extensive triage and investigation are necessary to differentiate between malicious and benign activities. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the reading of lsass memory, which is consistent with credential dumping. Reading lsass memory is a common technique used by attackers to steal credentials from the Windows operating system. The detection is made by monitoring the sysmon events and filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process helps identify potential instances of credential dumping.The detection is important because it suggests that an attacker is attempting to extract credentials from the lsass memory, which can lead to unauthorized access, data breaches, and compromise of sensitive information. Credential dumping is often a precursor to further attacks, such as lateral movement, privilege escalation, or data exfiltration. False positives can occur due to legitimate actions that involve accessing lsass memory. Therefore, extensive triage and investigation are necessary to differentiate between malicious and benign activities. action.escu.how_to_implement = This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. @@ -19747,7 +20402,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Credential Dumping through LSASS access - Rule -action.correlationsearch.annotations = {"analytic_story": ["Detect Zerologon Attack", "CISA AA23-347A", "Credential Dumping"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Detect Zerologon Attack", "CISA AA23-347A", "Credential Dumping"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -19772,7 +20427,7 @@ action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies the common PowerShell stager used by PowerShell-Empire. Each stager that may use PowerShell all uses the same pattern. The initial HTTP will be base64 encoded and use `system.net.webclient`. Note that some obfuscation may evade the analytic. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies the common PowerShell stager used by PowerShell-Empire. Each stager that may use PowerShell all uses the same pattern. The initial HTTP will be base64 encoded and use `system.net.webclient`. Note that some obfuscation may evade the analytic. \ @@ -19797,7 +20452,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Empire with PowerShell Script Block Logging - Rule -action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -19822,7 +20477,7 @@ search = `powershell` EventCode=4104 (ScriptBlockText=*system.net.webclient* AN action.escu = 0 action.escu.enabled = 1 description = This search identifies endpoints that have caused a relatively high number of account lockouts in a short period. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search identifies endpoints that have caused a relatively high number of account lockouts in a short period. action.escu.how_to_implement = You must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment. \ @@ -19831,8 +20486,8 @@ If Splunk>Phantom is also configured in your environment, a Playbook called "Exc (Playbook Link:`https://my.phantom.us/4.1/playbook/excessive-account-lockouts-enrichment-and-response/`).\ action.escu.known_false_positives = It's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts. -action.escu.creation_date = 2022-08-25 -action.escu.modification_date = 2022-08-25 +action.escu.creation_date = 2024-02-14 +action.escu.modification_date = 2024-02-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Excessive Account Lockouts From Endpoint - Rule action.escu.search_type = detection @@ -19849,7 +20504,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Excessive Account Lockouts From Endpoint - Rule -action.correlationsearch.annotations = {"analytic_story": ["Account Monitoring and Controls"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Account Monitoring and Controls"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -19866,7 +20521,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search detects user accounts that have been locked out a relatively high number of times in a short period. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.003"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.003"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = This search detects user accounts that have been locked out a relatively high number of times in a short period. action.escu.how_to_implement = ou must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment. @@ -19889,7 +20544,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Excessive User Account Lockouts - Rule -action.correlationsearch.annotations = {"analytic_story": ["Account Monitoring and Controls"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1078", "T1078.003"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Account Monitoring and Controls"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -19906,7 +20561,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. @@ -19929,7 +20584,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Exchange Web Shell - Rule -action.correlationsearch.annotations = {"analytic_story": ["ProxyNotShell", "ProxyShell", "CISA AA22-257A", "HAFNIUM Group", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["ProxyNotShell", "ProxyShell", "CISA AA22-257A", "HAFNIUM Group", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -19952,7 +20607,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a renamed instance of hh.exe (HTML Help) executing a Compiled HTML Help (CHM). This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Validate it is the legitimate version of hh.exe by reviewing the PE metadata. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a renamed instance of hh.exe (HTML Help) executing a Compiled HTML Help (CHM). This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Validate it is the legitimate version of hh.exe by reviewing the PE metadata. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -19970,7 +20625,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect HTML Help Renamed - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Compiled HTML Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Compiled HTML Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -19987,7 +20642,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -20010,7 +20665,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect HTML Help Spawn Child Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Compiled HTML Activity", "Living Off The Land", "AgentTesla"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Compiled HTML Activity", "Living Off The Land", "AgentTesla"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -20033,7 +20688,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file from a remote url. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review reputation of remote IP and domain. Some instances, it is worth decompiling the .chm file to review its original contents. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file from a remote url. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review reputation of remote IP and domain. Some instances, it is worth decompiling the .chm file to review its original contents. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -20056,7 +20711,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect HTML Help URL in Command Line - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Compiled HTML Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Compiled HTML Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -20079,7 +20734,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -20102,7 +20757,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Compiled HTML Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Compiled HTML Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -20127,7 +20782,7 @@ action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ This analytic identifies common Mimikatz functions that may be identified in the script block, including `mimikatz`. This will catch the most basic use cases for Pass the Ticket, Pass the Hash and `-DumprCreds`. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003", "T1059.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1003", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ This analytic identifies common Mimikatz functions that may be identified in the script block, including `mimikatz`. This will catch the most basic use cases for Pass the Ticket, Pass the Hash and `-DumprCreds`. \ @@ -20152,7 +20807,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule -action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Sandworm Tools", "CISA AA22-264A", "CISA AA22-320A", "CISA AA23-347A", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "mitre_attack": ["T1003", "T1059.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Sandworm Tools", "CISA AA22-264A", "CISA AA22-320A", "CISA AA23-347A", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1003", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -20177,7 +20832,7 @@ search = `powershell` EventCode=4104 ScriptBlockText IN (*mimikatz*, *-dumpcr*, action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies "mshta.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "mshta.exe" and its parent process. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies "mshta.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "mshta.exe" and its parent process. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -20200,7 +20855,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect mshta inline hta execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -20223,7 +20878,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies renamed instances of mshta.exe executing. Mshta.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. This analytic utilizes the internal name of the PE to identify if is the legitimate mshta binary. Further analysis should be performed to review the executed content and validation it is the real mshta. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies renamed instances of mshta.exe executing. Mshta.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. This analytic utilizes the internal name of the PE to identify if is the legitimate mshta binary. Further analysis should be performed to review the executed content and validation it is the real mshta. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -20241,7 +20896,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect mshta renamed - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -20258,7 +20913,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -20281,7 +20936,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect MSHTA Url in Command Line - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -20304,13 +20959,13 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of new accounts that have been elevated to local administrators so that you can take immediate action to mitigate the risks and prevent further unauthorized access or malicious activities. This detection is made by using the Splunk query `wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) to search for relevant security events in the Windows event log. When a new account is created or an existing account is added to the Administrators group, this analytic identifies this behavior by looking for EventCode 4720 (A user account was created) or EventCode 4732 (A member was added to a security-enabled global group). This analytic specifically focuses on events where the Group_Name is set to Administrators. This detection is important because it suggests that an attacker has gained elevated privileges and can perform malicious actions with administrative access. This can lead to significant impact, such as unauthorized access to sensitive data, unauthorized modifications to systems or configurations, and potential disruption of critical services. identifying this behavior is crucial for a Security Operations Center (SOC). Next steps include reviewing the details of the security event, including the user account that was created or added to the Administrators group. Also, examine the time span between the first and last occurrence of the event to determine if the behavior is ongoing. Additionally, consider any contextual information, such as the destination where the account was created or added to understand the scope and potential impact of the attack. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the creation of new accounts that have been elevated to local administrators so that you can take immediate action to mitigate the risks and prevent further unauthorized access or malicious activities. This detection is made by using the Splunk query `wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) to search for relevant security events in the Windows event log. When a new account is created or an existing account is added to the Administrators group, this analytic identifies this behavior by looking for EventCode 4720 (A user account was created) or EventCode 4732 (A member was added to a security-enabled global group). This analytic specifically focuses on events where the Group_Name is set to Administrators. This detection is important because it suggests that an attacker has gained elevated privileges and can perform malicious actions with administrative access. This can lead to significant impact, such as unauthorized access to sensitive data, unauthorized modifications to systems or configurations, and potential disruption of critical services. identifying this behavior is crucial for a Security Operations Center (SOC). Next steps include reviewing the details of the security event, including the user account that was created or added to the Administrators group. Also, examine the time span between the first and last occurrence of the event to determine if the behavior is ongoing. Additionally, consider any contextual information, such as the destination where the account was created or added to understand the scope and potential impact of the attack. action.escu.how_to_implement = You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732 action.escu.known_false_positives = The activity may be legitimate. For this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not "Administrators", this search may generate an excessive number of false positives -action.escu.creation_date = 2020-07-08 -action.escu.modification_date = 2020-07-08 +action.escu.creation_date = 2024-02-14 +action.escu.modification_date = 2024-02-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect New Local Admin account - Rule action.escu.search_type = detection @@ -20327,7 +20982,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect New Local Admin account - Rule -action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A", "HAFNIUM Group", "CISA AA22-257A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A", "HAFNIUM Group", "CISA AA22-257A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -20350,7 +21005,7 @@ search = `wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Adm action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for execution of process `outlook.exe` where the process is writing a `.zip` file to the disk. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for execution of process `outlook.exe` where the process is writing a `.zip` file to the disk. action.escu.how_to_implement = You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. @@ -20373,7 +21028,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect Outlook exe writing a zip file - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Amadey", "Remcos"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Amadey", "Remcos"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -20396,7 +21051,7 @@ search = | tstats `security_content_summariesonly` min(_time) as firstTime max( action.escu = 0 action.escu.enabled = 1 description = The detection Detect Path Interception By Creation Of program exe is detecting the abuse of unquoted service paths, which is a popular technique for privilege escalation. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1574.009", "T1574"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.009", "T1574"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The detection Detect Path Interception By Creation Of program exe is detecting the abuse of unquoted service paths, which is a popular technique for privilege escalation. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -20419,7 +21074,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Path Interception By Creation Of program exe - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1574.009", "T1574"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.009", "T1574"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -20442,7 +21097,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search looks for fast execution of processes used for system network configuration discovery on the endpoint. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1016"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for fast execution of processes used for system network configuration discovery on the endpoint. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -20465,7 +21120,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect processes used for System Network Configuration Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Unusual Processes"], "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "mitre_attack": ["T1016"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Unusual Processes"], "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -20488,7 +21143,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = This search looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -20506,7 +21161,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Prohibited Applications Spawning cmd exe - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Command-Line Executions", "Suspicious MSHTA Activity", "Suspicious Zoom Child Processes", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Command-Line Executions", "Suspicious MSHTA Activity", "Suspicious Zoom Child Processes", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -20523,7 +21178,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = This search looks for events where `PsExec.exe` is run with the `accepteula` flag in the command line. PsExec is a built-in Windows utility that enables you to execute processes on other systems. It is fully interactive for console applications. This tool is widely used for launching interactive command prompts on remote systems. Threat actors leverage this extensively for executing code on compromised systems. If an attacker is running PsExec for the first time, they will be prompted to accept the end-user license agreement (EULA), which can be passed as the argument `accepteula` within the command line. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for events where `PsExec.exe` is run with the `accepteula` flag in the command line. PsExec is a built-in Windows utility that enables you to execute processes on other systems. It is fully interactive for console applications. This tool is widely used for launching interactive command prompts on remote systems. Threat actors leverage this extensively for executing code on compromised systems. If an attacker is running PsExec for the first time, they will be prompted to accept the end-user license agreement (EULA), which can be passed as the argument `accepteula` within the command line. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -20546,7 +21201,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect PsExec With accepteula Flag - Rule -action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware", "DHS Report TA18-074A", "HAFNIUM Group", "DarkSide Ransomware", "Active Directory Lateral Movement", "CISA AA22-320A", "Sandworm Tools", "Volt Typhoon", "IcedID", "BlackByte Ransomware", "DarkGate Malware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware", "DHS Report TA18-074A", "HAFNIUM Group", "DarkSide Ransomware", "Active Directory Lateral Movement", "CISA AA22-320A", "Sandworm Tools", "Volt Typhoon", "IcedID", "BlackByte Ransomware", "DarkGate Malware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -20609,7 +21264,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.dest) action.escu = 0 action.escu.enabled = 1 description = This analytic identifies commonly used command-line arguments used by `rclone.exe` to initiate a file transfer. Some arguments were negated as they are specific to the configuration used by adversaries. In particular, an adversary may list the files or directories of the remote file share using `ls` or `lsd`, which is not indicative of malicious behavior. During triage, at this stage of a ransomware event, exfiltration is about to occur or has already. Isolate the endpoint and continue investigating by review file modifications and parallel processes. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1020"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1020"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies commonly used command-line arguments used by `rclone.exe` to initiate a file transfer. Some arguments were negated as they are specific to the configuration used by adversaries. In particular, an adversary may list the files or directories of the remote file share using `ls` or `lsd`, which is not indicative of malicious behavior. During triage, at this stage of a ransomware event, exfiltration is about to occur or has already. Isolate the endpoint and continue investigating by review file modifications and parallel processes. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -20632,7 +21287,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect RClone Command-Line Usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "mitre_attack": ["T1020"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1020"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -20655,7 +21310,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies regasm.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies regasm.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -20678,7 +21333,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Regasm Spawning a Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -20701,13 +21356,13 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies regasm.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies regasm.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = Although unlikely, limited instances of regasm.exe with a network connection may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. -action.escu.creation_date = 2022-02-18 -action.escu.modification_date = 2022-02-18 +action.escu.creation_date = 2024-01-30 +action.escu.modification_date = 2024-01-30 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Regasm with Network Connection - Rule action.escu.search_type = detection @@ -20724,7 +21379,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Regasm with Network Connection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -20741,13 +21396,13 @@ relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false -search = `sysmon` EventID=3 dest_ip!=10.0.0.0/12 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regasm.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_with_network_connection_filter` +search = `sysmon` EventID=3 dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regasm.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_with_network_connection_filter` [ESCU - Detect Regasm with no Command Line Arguments - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies regasm.exe with no command line arguments. This particular behavior occurs when another process injects into regasm.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in `C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe` and `C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe`. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies regasm.exe with no command line arguments. This particular behavior occurs when another process injects into regasm.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in `C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe` and `C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe`. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -20770,7 +21425,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Regasm with no Command Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -20793,7 +21448,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies regsvcs.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies regsvcs.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -20816,7 +21471,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Regsvcs Spawning a Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -20839,13 +21494,13 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies Regsvcs.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies Regsvcs.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage. -action.escu.creation_date = 2022-02-18 -action.escu.modification_date = 2022-02-18 +action.escu.creation_date = 2024-01-30 +action.escu.modification_date = 2024-01-30 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Regsvcs with Network Connection - Rule action.escu.search_type = detection @@ -20862,7 +21517,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Regsvcs with Network Connection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -20879,13 +21534,13 @@ relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false -search = `sysmon` EventID=3 dest_ip!=10.0.0.0/12 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regsvcs.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_with_network_connection_filter` +search = `sysmon` EventID=3 dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regsvcs.exe | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_with_network_connection_filter` [ESCU - Detect Regsvcs with No Command Line Arguments - Rule] action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies regsvcs.exe with no command line arguments. This particular behavior occurs when another process injects into regsvcs.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies regsvcs.exe with no command line arguments. This particular behavior occurs when another process injects into regsvcs.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -20908,7 +21563,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Regsvcs with No Command Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.009"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -20932,7 +21587,7 @@ action.escu = 0 action.escu.enabled = 1 description = Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.This variation of the technique is often referred to as a "Squiblydoo" attack. \ Upon investigating, look for network connections to remote destinations (internal or external). Be cautious to modify the query to look for "scrobj.dll", the ".dll" is not required to load scrobj. "scrobj.dll" will be loaded by "regsvr32.exe" upon execution. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.This variation of the technique is often referred to as a "Squiblydoo" attack. \ Upon investigating, look for network connections to remote destinations (internal or external). Be cautious to modify the query to look for "scrobj.dll", the ".dll" is not required to load scrobj. "scrobj.dll" will be loaded by "regsvr32.exe" upon execution. @@ -20956,7 +21611,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Regsvr32 Application Control Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Cobalt Strike", "BlackByte Ransomware", "Graceful Wipe Out Attack", "Suspicious Regsvr32 Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Cobalt Strike", "BlackByte Ransomware", "Graceful Wipe Out Attack", "Suspicious Regsvr32 Activity"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -20980,7 +21635,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies renamed 7-Zip usage using Sysmon. At this stage of an attack, review parallel processes and file modifications for data that is staged or potentially have been exfiltrated. This analytic utilizes the OriginalFileName to capture the renamed process. During triage, validate this is the legitimate version of `7zip` by reviewing the PE metadata. In addition, review parallel processes for further suspicious behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies renamed 7-Zip usage using Sysmon. At this stage of an attack, review parallel processes and file modifications for data that is staged or potentially have been exfiltrated. This analytic utilizes the OriginalFileName to capture the renamed process. During triage, validate this is the legitimate version of `7zip` by reviewing the PE metadata. In addition, review parallel processes for further suspicious behavior. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -20998,7 +21653,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Renamed 7-Zip - Rule -action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging"], "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging"], "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -21015,7 +21670,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies renamed instances of `PsExec.exe` being utilized on an endpoint. Most instances, it is highly probable to capture `Psexec.exe` or other SysInternal utility usage with the command-line argument of `-accepteula`. During triage, validate this is the legitimate version of `PsExec` by reviewing the PE metadata. In addition, review parallel processes for further suspicious behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies renamed instances of `PsExec.exe` being utilized on an endpoint. Most instances, it is highly probable to capture `Psexec.exe` or other SysInternal utility usage with the command-line argument of `-accepteula`. During triage, validate this is the legitimate version of `PsExec` by reviewing the PE metadata. In addition, review parallel processes for further suspicious behavior. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -21033,7 +21688,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Renamed PSExec - Rule -action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware", "DHS Report TA18-074A", "HAFNIUM Group", "DarkSide Ransomware", "Active Directory Lateral Movement", "CISA AA22-320A", "Sandworm Tools", "BlackByte Ransomware", "DarkGate Malware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware", "DHS Report TA18-074A", "HAFNIUM Group", "DarkSide Ransomware", "Active Directory Lateral Movement", "CISA AA22-320A", "Sandworm Tools", "BlackByte Ransomware", "DarkGate Malware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -21050,7 +21705,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the usage of `rclone.exe`, renamed, being used to exfiltrate data to a remote destination. RClone has been used by multiple ransomware groups to exfiltrate data. In many instances, it will be downloaded from the legitimate site and executed accordingly. During triage, isolate the endpoint and begin to review parallel processes for additional behavior. At this stage, the adversary may have staged data to be exfiltrated. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1020"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1020"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the usage of `rclone.exe`, renamed, being used to exfiltrate data to a remote destination. RClone has been used by multiple ransomware groups to exfiltrate data. In many instances, it will be downloaded from the legitimate site and executed accordingly. During triage, isolate the endpoint and begin to review parallel processes for additional behavior. At this stage, the adversary may have staged data to be exfiltrated. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -21068,7 +21723,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Renamed RClone - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "mitre_attack": ["T1020"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1020"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -21085,7 +21740,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analtyic identifies renamed instances of `WinRAR.exe`. In most cases, it is not common for WinRAR to be used renamed, however it is common to be installed by a third party application and executed from a non-standard path. During triage, validate additional metadata from the binary that this is `WinRAR`. Review parallel processes and file modifications. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analtyic identifies renamed instances of `WinRAR.exe`. In most cases, it is not common for WinRAR to be used renamed, however it is common to be installed by a third party application and executed from a non-standard path. During triage, validate additional metadata from the binary that this is `WinRAR`. Review parallel processes and file modifications. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -21103,7 +21758,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Renamed WinRAR - Rule -action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging", "CISA AA22-277A"], "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging", "CISA AA22-277A"], "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -21120,7 +21775,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1036.002", "T1036"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.002", "T1036"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that includes the full command line of the process being launched on your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. @@ -21135,7 +21790,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["Spearphishing Attachments"] action.risk = 1 action.risk.param._risk_message = Suspicious RTLO detected in $file_name$ on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"threat_object_field": "file_name", "threat_object_type": "file name"}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -21143,7 +21798,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect RTLO In File Name - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "mitre_attack": ["T1036.002", "T1036"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.002", "T1036"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -21166,7 +21821,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1036.002", "T1036"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.002", "T1036"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -21181,7 +21836,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["Spearphishing Attachments"] action.risk = 1 action.risk.param._risk_message = Suspicious RTLO detected in $process_name$ on endpoint $dest$ by user $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"threat_object_field": "process_name", "threat_object_type": "process name"}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 40}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -21189,7 +21844,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect RTLO In Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "mitre_attack": ["T1036.002", "T1036"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.002", "T1036"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -21212,7 +21867,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies rundll32.exe loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies rundll32.exe loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -21235,7 +21890,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -21258,7 +21913,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies rundll32.exe loading setupapi.dll and iesetupapi.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies rundll32.exe loading setupapi.dll and iesetupapi.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -21281,7 +21936,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -21304,7 +21959,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies rundll32.exe loading syssetup.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies rundll32.exe loading syssetup.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -21327,7 +21982,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -21350,7 +22005,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies "rundll32.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. This type of behavior is commonly observed with fileless malware or application whitelisting bypass techniques. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies "rundll32.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. This type of behavior is commonly observed with fileless malware or application whitelisting bypass techniques. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -21373,7 +22028,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Rundll32 Inline HTA Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious MSHTA Activity", "NOBELIUM Group", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious MSHTA Activity", "NOBELIUM Group", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -21396,7 +22051,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies common command-line arguments used by SharpHound `-collectionMethod` and `invoke-bloodhound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies common command-line arguments used by SharpHound `-collectionMethod` and `invoke-bloodhound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -21419,7 +22074,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect SharpHound Command-Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["Discovery Techniques", "Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Discovery Techniques", "Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -21442,7 +22097,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = SharpHound is used as a reconnaissance collector, ingestor, for BloodHound. SharpHound will query the domain controller and begin gathering all the data related to the domain and trusts. For output, it will drop a .zip file upon completion following a typical pattern that is often not changed. This analytic focuses on the default file name scheme. Note that this may be evaded with different parameters within SharpHound, but that depends on the operator. `-randomizefilenames` and `-encryptzip` are two examples. In addition, executing SharpHound via .exe or .ps1 without any command-line arguments will still perform activity and dump output to the default filename. Example default filename `20210601181553_BloodHound.zip`. SharpHound creates multiple temp files following the same pattern `20210601182121_computers.json`, `domains.json`, `gpos.json`, `ous.json` and `users.json`. Tuning may be required, or remove these json's entirely if it is too noisy. During traige, review parallel processes for further suspicious behavior. Typically, the process executing the `.ps1` ingestor will be PowerShell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = SharpHound is used as a reconnaissance collector, ingestor, for BloodHound. SharpHound will query the domain controller and begin gathering all the data related to the domain and trusts. For output, it will drop a .zip file upon completion following a typical pattern that is often not changed. This analytic focuses on the default file name scheme. Note that this may be evaded with different parameters within SharpHound, but that depends on the operator. `-randomizefilenames` and `-encryptzip` are two examples. In addition, executing SharpHound via .exe or .ps1 without any command-line arguments will still perform activity and dump output to the default filename. Example default filename `20210601181553_BloodHound.zip`. SharpHound creates multiple temp files following the same pattern `20210601182121_computers.json`, `domains.json`, `gpos.json`, `ous.json` and `users.json`. Tuning may be required, or remove these json's entirely if it is too noisy. During traige, review parallel processes for further suspicious behavior. Typically, the process executing the `.ps1` ingestor will be PowerShell. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. @@ -21465,7 +22120,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect SharpHound File Modifications - Rule -action.correlationsearch.annotations = {"analytic_story": ["Discovery Techniques", "Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Discovery Techniques", "Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -21488,7 +22143,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies SharpHound binary usage by using the original filena,e. In addition to renaming the PE, other coverage is available to detect command-line arguments. This particular analytic looks for the original_file_name of `SharpHound.exe` and the process name. It is possible older instances of SharpHound.exe have different original filenames. Dependent upon the operator, the code may be re-compiled and the attributes removed or changed to anything else. During triage, review the metadata of the binary in question. Review parallel processes for suspicious behavior. Identify the source of this binary. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies SharpHound binary usage by using the original filena,e. In addition to renaming the PE, other coverage is available to detect command-line arguments. This particular analytic looks for the original_file_name of `SharpHound.exe` and the process name. It is possible older instances of SharpHound.exe have different original filenames. Dependent upon the operator, the code may be re-compiled and the attributes removed or changed to anything else. During triage, review the metadata of the binary in question. Review parallel processes for suspicious behavior. Identify the source of this binary. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -21511,7 +22166,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect SharpHound Usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["Discovery Techniques", "Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Discovery Techniques", "Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -21534,7 +22189,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic uses a pre-trained Deep Learning model to predict whether a processname is suspicious or not. Malwares and malicious programs such as ransomware often use tactics, techniques, and procedures (TTPs) such as copying malicious files to the local machine to propagate themselves across the network. A key indicator of compromise is that after a successful execution of the malware, it copies itself as an executable file with a randomly generated filename and places this file in one of the directories. Such techniques are seen in several malwares such as TrickBot. We develop machine learning model that uses a Recurrent Neural Network (RNN) to distinguish between malicious and benign processnames. The model is trained independently and is then made available for download. We use a character level RNN to classify malicious vs. benign processnames. The higher is_malicious_prob, the more likely is the processname to be suspicious (between [0,1]). The threshold for flagging a processname as suspicious is set as 0.5. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic uses a pre-trained Deep Learning model to predict whether a processname is suspicious or not. Malwares and malicious programs such as ransomware often use tactics, techniques, and procedures (TTPs) such as copying malicious files to the local machine to propagate themselves across the network. A key indicator of compromise is that after a successful execution of the malware, it copies itself as an executable file with a randomly generated filename and places this file in one of the directories. Such techniques are seen in several malwares such as TrickBot. We develop machine learning model that uses a Recurrent Neural Network (RNN) to distinguish between malicious and benign processnames. The model is trained independently and is then made available for download. We use a character level RNN to classify malicious vs. benign processnames. The higher is_malicious_prob, the more likely is the processname to be suspicious (between [0,1]). The threshold for flagging a processname as suspicious is set as 0.5. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -21557,7 +22212,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detect suspicious processnames using pretrained model in DSDL - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Command-Line Executions"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Command-Line Executions"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -21574,11 +22229,11 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. The search will return the count, the first and last time this execution was seen on a machine, the user, and the destination of the machine -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. The search will return the count, the first and last time this execution was seen on a machine, the user, and the destination of the machine action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -action.escu.known_false_positives = Some legitimate applications may exhibit this behavior. +action.escu.known_false_positives = This detection may also be triggered by legitimate applications and numerous service accounts, which often end with a $ sign. To manage this, it's advised to check the service account's activities and, if they are valid, modify the filter macro to exclude them. action.escu.creation_date = 2023-12-07 action.escu.modification_date = 2023-12-07 action.escu.confidence = high @@ -21588,7 +22243,7 @@ action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splun action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Emotet Malware DHS Report TA18-201A ", "Suspicious Command-Line Executions", "Azorult"] action.risk = 1 -action.risk.param._risk_message = cmd.exe launching script interpreters on $dest$ +action.risk.param._risk_message = cmd.exe launching script interpreters $process_name$ on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 @@ -21597,7 +22252,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule -action.correlationsearch.annotations = {"analytic_story": ["Emotet Malware DHS Report TA18-201A ", "Suspicious Command-Line Executions", "Azorult"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Emotet Malware DHS Report TA18-201A ", "Suspicious Command-Line Executions", "Azorult"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -21620,7 +22275,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search is used to detect the abuse of web applications by adversaries. Adversaries may install a backdoor or script onto web servers by exploiting known vulnerabilities or misconfigruations. Web shells are used to establish persistent access to systems and provide a set of executable functions or a command-line interface on the system hosting the Web server. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1505", "T1505.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is used to detect the abuse of web applications by adversaries. Adversaries may install a backdoor or script onto web servers by exploiting known vulnerabilities or misconfigruations. Web shells are used to establish persistent access to systems and provide a set of executable functions or a command-line interface on the system hosting the Web server. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -21643,7 +22298,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Webshell Exploit Behavior - Rule -action.correlationsearch.annotations = {"analytic_story": ["ProxyNotShell", "ProxyShell", "CISA AA22-257A", "HAFNIUM Group", "BlackByte Ransomware", "CISA AA22-264A", "Citrix ShareFile RCE CVE-2023-24489", "Flax Typhoon", "WS FTP Server Critical Vulnerabilities", "SysAid On-Prem Software CVE-2023-47246 Vulnerability"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "mitre_attack": ["T1505", "T1505.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["ProxyNotShell", "ProxyShell", "CISA AA22-257A", "HAFNIUM Group", "BlackByte Ransomware", "CISA AA22-264A", "Citrix ShareFile RCE CVE-2023-24489", "Flax Typhoon", "WS FTP Server Critical Vulnerabilities", "SysAid On-Prem Software CVE-2023-47246 Vulnerability"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -21671,7 +22326,7 @@ All event subscriptions have three components \ 1. Consumer - An action to take upon triggering the filter. EventID equals 20 \ 1. Binding - Registers a filter to a consumer. EventID equals 21 \ Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.003", "T1546"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.003", "T1546"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the use of WMI Event Subscription to establish persistence or perform privilege escalation. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. This analytic is restricted by commonly added process execution and a path. If the volume is low enough, remove the values and flag on any new subscriptions.\ All event subscriptions have three components \ @@ -21699,7 +22354,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect WMI Event Subscription Persistence - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1546.003", "T1546"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.003", "T1546"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -21727,7 +22382,7 @@ search = `sysmon` EventID=20 | stats count min(_time) as firstTime max(_time) as action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for specific command-line arguments that may indicate the execution of tools made by Nirsoft, which are legitimate, but may be abused by attackers. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1072"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1072"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for specific command-line arguments that may indicate the execution of tools made by Nirsoft, which are legitimate, but may be abused by attackers. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -21750,7 +22405,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Detection of tools built by NirSoft - Rule -action.correlationsearch.annotations = {"analytic_story": ["Emotet Malware DHS Report TA18-201A "], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1072"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Emotet Malware DHS Report TA18-201A "], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1072"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -21773,7 +22428,7 @@ search = | tstats `security_content_summariesonly` count min(_time) values(Proce action.escu = 0 action.escu.enabled = 1 description = this search is to identify modification in registry to disable AMSI windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = this search is to identify modification in registry to disable AMSI windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -21796,7 +22451,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable AMSI Through Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "CISA AA23-347A", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "CISA AA23-347A", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -21819,7 +22474,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -21842,7 +22497,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Defender AntiVirus Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -21865,7 +22520,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the BlockAtFirstSeen feature where it blocks suspicious files the first time seen on the host. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the BlockAtFirstSeen feature where it blocks suspicious files the first time seen on the host. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -21888,7 +22543,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Defender BlockAtFirstSeen Feature - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -21911,7 +22566,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This analytic is intended to detect a suspicious modification of registry to disable windows defender features. This technique attempts to bypass or evade detection from Windows Defender AV, specifically the Enhanced Notification feature where a user or admin would receive alerts. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is intended to detect a suspicious modification of registry to disable windows defender features. This technique attempts to bypass or evade detection from Windows Defender AV, specifically the Enhanced Notification feature where a user or admin would receive alerts. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -21934,7 +22589,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Defender Enhanced Notification - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -21957,7 +22612,7 @@ search = | tstats `security_content_summariesonly` count min(_time) AS firstTime action.escu = 0 action.escu.enabled = 1 description = This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -21980,7 +22635,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Defender MpEngine Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -22003,7 +22658,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This analytic is intended to detect a suspicious modification of registry to disable Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV product, specifically the spynet reporting for Defender telemetry. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is intended to detect a suspicious modification of registry to disable Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV product, specifically the spynet reporting for Defender telemetry. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -22026,7 +22681,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Defender Spynet Reporting - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Windows Registry Abuse", "Qakbot", "IcedID", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Windows Registry Abuse", "Qakbot", "IcedID", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -22049,7 +22704,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the feature that submits samples for further analysis. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the feature that submits samples for further analysis. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -22072,7 +22727,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Defender Submit Samples Consent Feature - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azorult", "CISA AA23-347A", "IcedID", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -22095,7 +22750,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This search is to identify modification in registry to disable ETW windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to identify modification in registry to disable ETW windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -22118,7 +22773,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable ETW Through Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "CISA AA23-347A", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "CISA AA23-347A", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -22141,7 +22796,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This search is to detect execution of wevtutil.exe to disable logs. This technique was seen in several ransomware to disable the event logs to evade alerts and detections. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect execution of wevtutil.exe to disable logs. This technique was seen in several ransomware to disable the event logs to evade alerts and detections. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -22164,7 +22819,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Logs Using WevtUtil - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "CISA AA23-347A", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "CISA AA23-347A", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -22187,7 +22842,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search identifies modification of registry to disable the regedit or registry tools of the windows operating system. Since registry tool is a swiss knife in analyzing registry, malware such as RAT or trojan Spy disable this application to prevent the removal of their registry entry such as persistence, file less components and defense evasion. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search identifies modification of registry to disable the regedit or registry tools of the windows operating system. Since registry tool is a swiss knife in analyzing registry, malware such as RAT or trojan Spy disable this application to prevent the removal of their registry entry such as persistence, file less components and defense evasion. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -22210,7 +22865,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Registry Tool - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse", "NjRAT"], "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse", "NjRAT"], "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -22233,7 +22888,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious commandline to disable existing schedule task. This technique is used by adversaries or commodity malware like IcedID to disable security application (AV products) in the targetted host to evade detections. This TTP is a good pivot to check further why and what other process run before and after this detection. check which process execute the commandline and what task is disabled. parent child process is quite valuable in this scenario too. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious commandline to disable existing schedule task. This technique is used by adversaries or commodity malware like IcedID to disable security application (AV products) in the targetted host to evade detections. This TTP is a good pivot to check further why and what other process run before and after this detection. check which process execute the commandline and what task is disabled. parent child process is quite valuable in this scenario too. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -22256,7 +22911,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Schedule Task - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -22279,7 +22934,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTim action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious registry modification to disable security audit logs. This technique was shared by a researcher to disable Security logs of windows by adding this registry. The Windows will think it is WinPE and will not log any event to the Security Log -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious registry modification to disable security audit logs. This technique was shared by a researcher to disable Security logs of windows by adding this registry. The Windows will think it is WinPE and will not log any event to the Security Log action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -22302,7 +22957,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Security Logs Using MiniNt Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "CISA AA23-347A", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "CISA AA23-347A", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -22325,13 +22980,13 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = The following analytic is to identify a modification in the Windows registry to prevent users from seeing all the files with hidden attributes. This event or techniques are known on some worm and trojan spy malware that will drop hidden files on the infected machine. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1564.001", "T1562.001", "T1564", "T1562", "T1112"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.001", "T1562.001", "T1564", "T1562", "T1112"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is to identify a modification in the Windows registry to prevent users from seeing all the files with hidden attributes. This event or techniques are known on some worm and trojan spy malware that will drop hidden files on the infected machine. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = unknown -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 +action.escu.creation_date = 2024-02-14 +action.escu.modification_date = 2024-02-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Disable Show Hidden Files - Rule action.escu.search_type = detection @@ -22348,7 +23003,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Show Hidden Files - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse", "Azorult"], "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "mitre_attack": ["T1564.001", "T1562.001", "T1564", "T1562", "T1112"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse", "Azorult"], "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.001", "T1562.001", "T1564", "T1562", "T1112"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -22365,7 +23020,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious modification of registry to disable UAC remote restriction. This technique was well documented in Microsoft page where attacker may modify this registry value to bypassed UAC feature of windows host. This is a good indicator that some tries to bypassed UAC to suspicious process or gain privilege escalation. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious modification of registry to disable UAC remote restriction. This technique was well documented in Microsoft page where attacker may modify this registry value to bypassed UAC feature of windows host. This is a good indicator that some tries to bypassed UAC to suspicious process or gain privilege escalation. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -22388,7 +23043,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable UAC Remote Restriction - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "CISA AA23-347A", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Defense Evasion Tactics", "CISA AA23-347A", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -22411,7 +23066,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = The following analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -22434,7 +23089,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Windows App Hotkeys - Rule -action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -22457,7 +23112,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This search is to identifies a modification in registry to disable the windows denfender real time behavior monitoring. This event or technique is commonly seen in RAT, bot, or Trojan to disable AV to evade detections. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to identifies a modification in registry to disable the windows denfender real time behavior monitoring. This event or technique is commonly seen in RAT, bot, or Trojan to disable AV to evade detections. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -22480,7 +23135,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Windows Behavior Monitoring - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Ransomware", "Windows Registry Abuse", "RedLine Stealer", "Windows Defense Evasion Tactics", "CISA AA23-347A", "Revil Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Ransomware", "Windows Registry Abuse", "RedLine Stealer", "Windows Defense Evasion Tactics", "CISA AA23-347A", "Revil Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -22503,13 +23158,13 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = The following search identifies a modification of registry to disable the smartscreen protection of windows machine. This is windows feature provide an early warning system against website that might engage in phishing attack or malware distribution. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following search identifies a modification of registry to disable the smartscreen protection of windows machine. This is windows feature provide an early warning system against website that might engage in phishing attack or malware distribution. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = admin or user may choose to disable this windows features. -action.escu.creation_date = 2023-12-27 -action.escu.modification_date = 2023-12-27 +action.escu.creation_date = 2024-02-14 +action.escu.modification_date = 2024-02-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Disable Windows SmartScreen Protection - Rule action.escu.search_type = detection @@ -22526,7 +23181,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disable Windows SmartScreen Protection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "CISA AA23-347A", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "CISA AA23-347A", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -22549,7 +23204,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUser` commandlet with specific parameters. `Get-ADUser` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Get-ADUser` is used to query for domain users. With the appropiate parameters, Get-ADUser allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\ Red Teams and adversaries alike use may abuse Get-ADUSer to enumerate these accounts and attempt to crack their passwords offline. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUser` commandlet with specific parameters. `Get-ADUser` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Get-ADUser` is used to query for domain users. With the appropiate parameters, Get-ADUser allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\ Red Teams and adversaries alike use may abuse Get-ADUSer to enumerate these accounts and attempt to crack their passwords offline. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -22572,7 +23227,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -22595,7 +23250,7 @@ search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-ADUser*" AND Scri action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet with specific parameters. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows Active Directory networks. As the name suggests, `Get-DomainUser` is used to identify domain users and combining it with `-PreauthNotRequired` allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\ Red Teams and adversaries alike use may leverage PowerView to enumerate these accounts and attempt to crack their passwords offline. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet with specific parameters. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows Active Directory networks. As the name suggests, `Get-DomainUser` is used to identify domain users and combining it with `-PreauthNotRequired` allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\ Red Teams and adversaries alike use may leverage PowerView to enumerate these accounts and attempt to crack their passwords offline. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -22618,7 +23273,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabled Kerberos Pre-Authentication Discovery With PowerView - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -22641,7 +23296,7 @@ search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainUser*" AND action.escu = 0 action.escu.enabled = 1 description = This search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -22664,7 +23319,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabling CMD Application - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse", "NjRAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse", "NjRAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -22687,13 +23342,13 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = this search is to identify registry modification to disable control panel window. This technique is commonly seen in malware to prevent their artifacts , persistence removed on the infected machine. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = this search is to identify registry modification to disable control panel window. This technique is commonly seen in malware to prevent their artifacts , persistence removed on the infected machine. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = admin may disable this application for non technical user. -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 +action.escu.creation_date = 2024-02-14 +action.escu.modification_date = 2024-02-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Disabling ControlPanel - Rule action.escu.search_type = detection @@ -22710,7 +23365,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabling ControlPanel - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -22733,7 +23388,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This particular behavior is typically executed when an adversaries or malware gains access to an endpoint and beings to perform execution and to evade detections. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This particular behavior is typically executed when an adversaries or malware gains access to an endpoint and beings to perform execution and to evade detections. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -22756,7 +23411,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabling Defender Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Windows Registry Abuse", "RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Windows Registry Abuse", "RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -22779,7 +23434,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -22802,7 +23457,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabling Firewall with Netsh - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -22819,7 +23474,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search is to identify registry modification to disable folder options feature of windows to show hidden files, file extension and etc. This technique used by malware in combination if disabling show hidden files feature to hide their files and also to hide the file extension to lure the user base on file icons or fake file extensions. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to identify registry modification to disable folder options feature of windows to show hidden files, file extension and etc. This technique used by malware in combination if disabling show hidden files feature to hide their files and also to hide the file extension to lure the user base on file icons or fake file extensions. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -22842,7 +23497,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabling FolderOptions Windows Feature - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "CISA AA23-347A", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "CISA AA23-347A", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -22865,7 +23520,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This analytic will identify a suspicious command-line that disables a user account using the `net.exe` utility native to Windows. This technique may used by the adversaries to interrupt availability of such users to do their malicious act. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1531"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic will identify a suspicious command-line that disables a user account using the `net.exe` utility native to Windows. This technique may used by the adversaries to interrupt availability of such users to do their malicious act. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -22888,7 +23543,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabling Net User Account - Rule -action.correlationsearch.annotations = {"analytic_story": ["XMRig"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1531"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["XMRig"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -22911,7 +23566,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as action.escu = 0 action.escu.enabled = 1 description = This search is to identify modification of registry to disable run application in window start menu. this application is known to be a helpful shortcut to windows OS user to run known application and also to execute some reg or batch script. This technique is used malware to make cleaning of its infection more harder by preventing known application run easily through run shortcut. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to identify modification of registry to disable run application in window start menu. this application is known to be a helpful shortcut to windows OS user to run known application and also to execute some reg or batch script. This technique is used malware to make cleaning of its infection more harder by preventing known application run easily through run shortcut. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -22934,7 +23589,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabling NoRun Windows App - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562", "T1112"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -22957,7 +23612,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = The search looks for modifications to registry keys that control the enforcement of Windows User Account Control (UAC). -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks for modifications to registry keys that control the enforcement of Windows User Account Control (UAC). action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications. @@ -22980,7 +23635,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabling Remote User Account Control - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Suspicious Windows Registry Activities", "Remcos", "Windows Registry Abuse", "Azorult", "AgentTesla"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Suspicious Windows Registry Activities", "Remcos", "Windows Registry Abuse", "Azorult", "AgentTesla"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -23003,13 +23658,13 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following search identifies the modification of registry related in disabling the system restore of a machine. This event or behavior are seen in some RAT malware to make the restore of the infected machine difficult and keep their infection on the box. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following search identifies the modification of registry related in disabling the system restore of a machine. This event or behavior are seen in some RAT malware to make the restore of the infected machine difficult and keep their infection on the box. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 action.escu.known_false_positives = in some cases admin can disable systemrestore on a machine. -action.escu.creation_date = 2023-04-27 -action.escu.modification_date = 2023-04-27 +action.escu.creation_date = 2024-02-14 +action.escu.modification_date = 2024-02-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Disabling SystemRestore In Registry - Rule action.escu.search_type = detection @@ -23026,7 +23681,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabling SystemRestore In Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse", "NjRAT"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse", "NjRAT"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -23049,7 +23704,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This search is to identifies modification of registry to disable the task manager of windows operating system. this event or technique are commonly seen in malware such as RAT, Trojan, TrojanSpy or worm to prevent the user to terminate their process. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to identifies modification of registry to disable the task manager of windows operating system. this event or technique are commonly seen in malware such as RAT, Trojan, TrojanSpy or worm to prevent the user to terminate their process. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -23072,7 +23727,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabling Task Manager - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse", "NjRAT"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse", "NjRAT"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -23095,7 +23750,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This detection looks for the deletion of registry keys which disable LSA protection and MS Defender Device Guard. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1556"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This detection looks for the deletion of registry keys which disable LSA protection and MS Defender Device Guard. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -23118,7 +23773,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defence Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "mitre_attack": ["T1556"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defence Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1556"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -23141,7 +23796,7 @@ search = | tstats `security_content_summariesonly` min(_time) as _time from data action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies DLLHost.exe with no command line arguments with a network connection. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint", "Network_Traffic"] action.escu.eli5 = The following analytic identifies DLLHost.exe with no command line arguments with a network connection. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -23164,7 +23819,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - DLLHost with no Command Line Arguments with Network - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -23187,7 +23842,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = this search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type, TXT, A, AAAA, that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1048"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = this search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type, TXT, A, AAAA, that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -23210,7 +23865,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - DNS Exfiltration Using Nslookup App - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious DNS Traffic", "Dynamic DNS", "Data Exfiltration", "Command And Control"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "mitre_attack": ["T1048"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious DNS Traffic", "Dynamic DNS", "Data Exfiltration", "Command And Control"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -23233,7 +23888,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover domain users. The `user` argument returns a list of all users registered in the domain. Red Teams and adversaries alike engage in remote system discovery for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover domain users. The `user` argument returns a list of all users registered in the domain. Red Teams and adversaries alike engage in remote system discovery for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -23251,7 +23906,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Domain Account Discovery with Dsquery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -23268,7 +23923,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for domain users. Red Teams and adversaries alike may use net.exe to enumerate domain users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for domain users. Red Teams and adversaries alike may use net.exe to enumerate domain users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -23291,7 +23946,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Domain Account Discovery With Net App - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -23314,7 +23969,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain users. Red Teams and adversaries alike use wmic.exe to enumerate domain users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain users. Red Teams and adversaries alike use wmic.exe to enumerate domain users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -23337,7 +23992,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Domain Account Discovery with Wmic - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -23360,7 +24015,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `nltest.exe` with command-line arguments utilized to discover remote systems. The arguments `/dclist:` and '/dsgetdc:', can be used to return a list of all domain controllers. Red Teams and adversaries alike may use nltest.exe to identify domain controllers in a Windows Domain for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `nltest.exe` with command-line arguments utilized to discover remote systems. The arguments `/dclist:` and '/dsgetdc:', can be used to return a list of all domain controllers. Red Teams and adversaries alike may use nltest.exe to identify domain controllers in a Windows Domain for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -23383,7 +24038,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Domain Controller Discovery with Nltest - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -23406,7 +24061,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command line return a list of all domain controllers in a Windows domain. Red Teams and adversaries alike use *.exe to identify remote systems for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command line return a list of all domain controllers in a Windows domain. Red Teams and adversaries alike use *.exe to identify remote systems for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -23424,7 +24079,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Domain Controller Discovery with Wmic - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "mitre_attack": ["T1018"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -23441,7 +24096,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -23464,7 +24119,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Domain Group Discovery with Adsisearcher - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -23487,7 +24142,7 @@ search = `powershell` EventCode=4104 (Message = "*[adsisearcher]*" AND Message = action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to query for domain groups. The argument `group`, returns a list of all domain groups. Red Teams and adversaries alike use may leverage dsquery.exe to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to query for domain groups. The argument `group`, returns a list of all domain groups. Red Teams and adversaries alike use may leverage dsquery.exe to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -23505,7 +24160,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Domain Group Discovery With Dsquery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -23522,7 +24177,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `net.exe` with command-line arguments utilized to query for domain groups. The argument `group /domain`, returns a list of all domain groups. Red Teams and adversaries alike use net.exe to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `net.exe` with command-line arguments utilized to query for domain groups. The argument `group /domain`, returns a list of all domain groups. Red Teams and adversaries alike use net.exe to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -23540,7 +24195,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Domain Group Discovery With Net - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Post-Exploitation", "Active Directory Discovery", "Prestige Ransomware", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Post-Exploitation", "Active Directory Discovery", "Prestige Ransomware", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -23557,7 +24212,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain groups. The arguments utilized in this command return a list of all domain groups. Red Teams and adversaries alike use wmic.exe to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain groups. The arguments utilized in this command return a list of all domain groups. Red Teams and adversaries alike use wmic.exe to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -23575,7 +24230,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Domain Group Discovery With Wmic - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -23592,7 +24247,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic will identify a suspicious download by the Telegram application on a Windows system. This behavior was identified on a honeypot where the adversary gained access, installed Telegram and followed through with downloading different network scanners (port, bruteforcer, masscan) to the system and later used to mapped the whole network and further move laterally. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic will identify a suspicious download by the Telegram application on a Windows system. This behavior was identified on a honeypot where the adversary gained access, installed Telegram and followed through with downloading different network scanners (port, bruteforcer, masscan) to the system and later used to mapped the whole network and further move laterally. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and TargetFilename from your endpoints or Events that monitor filestream events which is happened when process download something. (EventCode 15) If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -23604,7 +24259,7 @@ action.escu.full_search_name = ESCU - Download Files Using Telegram - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["XMRig"] +action.escu.analytic_story = ["XMRig", "Phemedrone Stealer"] action.risk = 1 action.risk.param._risk_message = Suspicious files were downloaded with the Telegram application on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] @@ -23615,7 +24270,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Download Files Using Telegram - Rule -action.correlationsearch.annotations = {"analytic_story": ["XMRig"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Phemedrone Stealer"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -23638,7 +24293,7 @@ search = `sysmon` EventCode= 15 process_name = "telegram.exe" TargetFilename = " action.escu = 0 action.escu.enabled = 1 description = This search is to detect dropping a suspicious file named as "license.dat" in %appdata%. This behavior seen in latest IcedID malware that contain the actual core bot that will be injected in other process to do banking stealing. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect dropping a suspicious file named as "license.dat" in %appdata%. This behavior seen in latest IcedID malware that contain the actual core bot that will be injected in other process to do banking stealing. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -23656,7 +24311,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Drop IcedID License dat - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["IcedID"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -23678,7 +24333,7 @@ The search will return the first time and last time these command-line arguments DSQuery.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64` and only on Server operating system.\ The following DLL(s) are loaded when DSQuery.exe is launched `dsquery.dll`. If found loaded by another process, it is possible dsquery is running within that process context in memory.\ In addition to trust discovery, review parallel processes for additional behaviors performed. Identify the parent process and capture any files (batch files, for example) being used. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies "dsquery.exe" execution with arguments looking for `TrustedDomain` query directly on the command-line. This is typically indicative of an Administrator or adversary perform domain trust discovery. Note that this query does not identify any other variations of "Dsquery.exe" usage.\ Within this detection, it is assumed `dsquery.exe` is not moved or renamed.\ @@ -23706,7 +24361,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - DSQuery Domain Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Domain Trust Discovery", "Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "mitre_attack": ["T1482"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Domain Trust Discovery", "Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -23734,7 +24389,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries to exploit the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. The detection is made by monitoring logs with process information from endpoints and identifying instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump. This indicates potential LSASS dumping attempts used by threat actors to obtain valuable credentials. The detection is important because credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. No legitimate use of this technique has been identified yet. This behavior is often part of more extensive attack campaigns and is associated with numerous threat groups that use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. False positives can occur since legitimate uses of the LSASS process can cause benign activities to be flagged. Next steps include reviewing the processes involved in the LSASS dumping attempt after triage and inspecting any relevant on-disk artifacts and concurrent processes to identify the attack source. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries to exploit the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. The detection is made by monitoring logs with process information from endpoints and identifying instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump. This indicates potential LSASS dumping attempts used by threat actors to obtain valuable credentials. The detection is important because credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. No legitimate use of this technique has been identified yet. This behavior is often part of more extensive attack campaigns and is associated with numerous threat groups that use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. False positives can occur since legitimate uses of the LSASS process can cause benign activities to be flagged. Next steps include reviewing the processes involved in the LSASS dumping attempt after triage and inspecting any relevant on-disk artifacts and concurrent processes to identify the attack source. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -23757,7 +24412,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Dump LSASS via comsvcs DLL - Rule -action.correlationsearch.annotations = {"analytic_story": ["Industroyer2", "HAFNIUM Group", "CISA AA22-264A", "Prestige Ransomware", "Credential Dumping", "CISA AA22-257A", "Living Off The Land", "Suspicious Rundll32 Activity", "Data Destruction", "Volt Typhoon", "Flax Typhoon"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Industroyer2", "HAFNIUM Group", "CISA AA22-264A", "Prestige Ransomware", "Credential Dumping", "CISA AA22-257A", "Living Off The Land", "Suspicious Rundll32 Activity", "Data Destruction", "Volt Typhoon", "Flax Typhoon"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -23781,7 +24436,7 @@ action.escu = 0 action.escu.enabled = 1 description = Detect procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. This query does not monitor for the internal name (original_file_name=procdump) of the PE or look for procdump64.exe. Modify the query as needed.\ During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Detect procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. This query does not monitor for the internal name (original_file_name=procdump) of the PE or look for procdump64.exe. Modify the query as needed.\ During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe. @@ -23805,7 +24460,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Dump LSASS via procdump - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "HAFNIUM Group", "CISA AA22-257A"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "HAFNIUM Group", "CISA AA22-257A"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -23829,7 +24484,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for specific elevated domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for specific elevated domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -23852,7 +24507,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Elevated Group Discovery With Net - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Volt Typhoon", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Volt Typhoon", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -23875,13 +24530,13 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroupMember` commandlet. `Get-DomainGroupMember` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroupMember` is used to list the members of an specific domain group. Red Teams and adversaries alike use PowerView to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroupMember` commandlet. `Get-DomainGroupMember` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroupMember` is used to list the members of an specific domain group. Red Teams and adversaries alike use PowerView to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. action.escu.known_false_positives = Administrators or power users may use this PowerView for troubleshooting. -action.escu.creation_date = 2021-08-25 -action.escu.modification_date = 2021-08-25 +action.escu.creation_date = 2024-02-14 +action.escu.modification_date = 2024-02-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Elevated Group Discovery with PowerView - Rule action.escu.search_type = detection @@ -23893,7 +24548,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Elevated Group Discovery with PowerView - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -23910,7 +24565,7 @@ search = `powershell` EventCode=4104 (Message = "*Get-DomainGroupMember*") AND M action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for specific domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for specific domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -23933,7 +24588,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Elevated Group Discovery With Wmic - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -23956,7 +24611,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search is to detect a modification to registry to enable rdp to a machine with different port number. This technique was seen in some atttacker tries to do lateral movement and remote access to a compromised machine to gain control of it. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1021"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a modification to registry to enable rdp to a machine with different port number. This technique was seen in some atttacker tries to do lateral movement and remote access to a compromised machine to gain control of it. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -23979,7 +24634,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Enable RDP In Other Port Number - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1021"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -24002,7 +24657,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious registry modification to enable plain text credential feature of windows. This technique was used by several malware and also by mimikatz to be able to dumpe the a plain text credential to the compromised or target host. This TTP is really a good indicator that someone wants to dump the crendential of the host so it must be a good pivot for credential dumping techniques. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1112", "T1003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious registry modification to enable plain text credential feature of windows. This technique was used by several malware and also by mimikatz to be able to dumpe the a plain text credential to the compromised or target host. This TTP is really a good indicator that someone wants to dump the crendential of the host so it must be a good pivot for credential dumping techniques. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -24025,7 +24680,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Enable WDigest UseLogonCredential Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Windows Registry Abuse", "CISA AA22-320A"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1112", "T1003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Windows Registry Abuse", "CISA AA22-320A"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -24048,7 +24703,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This analytic will detect a suspicious Telegram process enumerating all network users in a local group. This technique was seen in a Monero infected honeypot to mapped all the users on the compromised system. EventCode 4798 is generated when a process enumerates a user's security-enabled local groups on a computer or device. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic will detect a suspicious Telegram process enumerating all network users in a local group. This technique was seen in a Monero infected honeypot to mapped all the users on the compromised system. EventCode 4798 is generated when a process enumerates a user's security-enabled local groups on a computer or device. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the Task Schedule (Exa. Security Log EventCode 4798) endpoints. Tune and filter known instances of process like logonUI used in your environment. @@ -24071,7 +24726,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Enumerate Users Local Group Using Telegram - Rule -action.correlationsearch.annotations = {"analytic_story": ["XMRig"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1087"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["XMRig"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -24094,7 +24749,7 @@ search = `wineventlog_security` EventCode=4798 Process_Name = "*\\telegram.exe" action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the process - `esentutl.exe` - being used to capture credentials stored in ntds.dit or the SAM file on disk. During triage, review parallel processes and determine if legitimate activity. Upon determination of illegitimate activity, take further action to isolate and contain the threat. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the process - `esentutl.exe` - being used to capture credentials stored in ntds.dit or the SAM file on disk. During triage, review parallel processes and determine if legitimate activity. Upon determination of illegitimate activity, take further action to isolate and contain the threat. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -24112,7 +24767,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Esentutl SAM Copy - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -24129,7 +24784,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a registry modification to disable ETW feature of windows. This technique is to evade EDR appliance to evade detections and hide its execution from audit logs. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.006", "T1127", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.006", "T1127", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a registry modification to disable ETW feature of windows. This technique is to evade EDR appliance to evade detections and hide its execution from audit logs. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -24152,7 +24807,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - ETW Registry Disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse", "CISA AA23-347A", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "mitre_attack": ["T1562.006", "T1127", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Hermetic Wiper", "Windows Persistence Techniques", "Windows Privilege Escalation", "Windows Registry Abuse", "CISA AA23-347A", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.006", "T1127", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -24175,7 +24830,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = The following search identifies Eventvwr bypass by identifying the registry modification into a specific path that eventvwr.msc looks to (but is not valid) upon execution. A successful attack will include a suspicious command to be executed upon eventvwr.msc loading. Upon triage, review the parallel processes that have executed. Identify any additional registry modifications on the endpoint that may look suspicious. Remediate as necessary. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following search identifies Eventvwr bypass by identifying the registry modification into a specific path that eventvwr.msc looks to (but is not valid) upon execution. A successful attack will include a suspicious command to be executed upon eventvwr.msc loading. Upon triage, review the parallel processes that have executed. Identify any additional registry modifications on the endpoint that may look suspicious. Remediate as necessary. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -24198,7 +24853,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Eventvwr UAC Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "IcedID", "Living Off The Land", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "IcedID", "Living Off The Land", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -24221,7 +24876,7 @@ search = | tstats `security_content_summariesonly` count min(_time) AS firstTime action.escu = 0 action.escu.enabled = 1 description = The following detection identifies Microsoft Excel spawning PowerShell. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). PowerShell spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following detection identifies Microsoft Excel spawning PowerShell. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). PowerShell spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -24244,7 +24899,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excel Spawning PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -24267,7 +24922,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = The following detection identifies Microsoft Excel spawning Windows Script Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). `cscript.exe` or `wscript.exe` default location is `c:\windows\system32\` or c:windows\syswow64`. `cscript.exe` or `wscript.exe` spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line executed will most likely be obfuscated and captured via another detection. During triage, review parallel processes and identify any files that may have been written. Review the reputation of the remote destination and block accordingly. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following detection identifies Microsoft Excel spawning Windows Script Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). `cscript.exe` or `wscript.exe` default location is `c:\windows\system32\` or c:windows\syswow64`. `cscript.exe` or `wscript.exe` spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line executed will most likely be obfuscated and captured via another detection. During triage, review parallel processes and identify any files that may have been written. Review the reputation of the remote destination and block accordingly. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -24290,7 +24945,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excel Spawning Windows Script Host - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -24313,7 +24968,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = This analytic will identify suspicious series of command-line to disable several services. This technique is seen where the adversary attempts to disable security app services or other malware services to complete the objective on the compromised system. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic will identify suspicious series of command-line to disable several services. This technique is seen where the adversary attempts to disable security app services or other malware services to complete the objective on the compromised system. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -24336,7 +24991,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excessive Attempt To Disable Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Azorult"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1489"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Azorult"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -24353,7 +25008,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as action.escu = 0 action.escu.enabled = 1 description = This analytic will identify suspicious series of process executions. We have observed that post exploit framework tools like Koadic and Meterpreter will launch an excessive number of processes with distinct file paths from Windows\Temp to execute actions on objective. This behavior is extremely anomalous compared to typical application behaviors that use Windows\Temp. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic will identify suspicious series of process executions. We have observed that post exploit framework tools like Koadic and Meterpreter will launch an excessive number of processes with distinct file paths from Windows\Temp to execute actions on objective. This behavior is extremely anomalous compared to typical application behaviors that use Windows\Temp. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -24376,7 +25031,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excessive distinct processes from Windows Temp - Rule -action.correlationsearch.annotations = {"analytic_story": ["Meterpreter"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Meterpreter"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -24393,7 +25048,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as action.escu = 0 action.escu.enabled = 1 description = This analytic will identify excessive file deletion events in the Windows Defender folder. This technique was seen in the WhisperGate malware campaign in which adversaries abused Nirsofts advancedrun.exe to gain administrative privilege to then execute PowerShell commands to delete files within the Windows Defender application folder. This behavior is a good indicator the offending process is trying to corrupt a Windows Defender installation. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic will identify excessive file deletion events in the Windows Defender folder. This technique was seen in the WhisperGate malware campaign in which adversaries abused Nirsofts advancedrun.exe to gain administrative privilege to then execute PowerShell commands to delete files within the Windows Defender application folder. This behavior is a good indicator the offending process is trying to corrupt a Windows Defender installation. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, TargetFilename, and ProcessID executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -24416,7 +25071,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excessive File Deletion In WinDefender Folder - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "WhisperGate", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1485"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "WhisperGate", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -24439,7 +25094,7 @@ search = `sysmon` EventCode=23 TargetFilename = "*\\ProgramData\\Microsoft\\Wind action.escu = 0 action.escu.enabled = 1 description = This detection targets behaviors observed when threat actors have used sc.exe to modify services. We observed malware in a honey pot spawning numerous sc.exe processes in a short period of time, presumably to impair defenses, possibly to block others from compromising the same machine. This detection will alert when we see both an excessive number of sc.exe processes launched with specific commandline arguments to disable the start of certain services. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This detection targets behaviors observed when threat actors have used sc.exe to modify services. We observed malware in a honey pot spawning numerous sc.exe processes in a short period of time, presumably to impair defenses, possibly to block others from compromising the same machine. This detection will alert when we see both an excessive number of sc.exe processes launched with specific commandline arguments to disable the start of certain services. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -24462,7 +25117,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excessive number of service control start as disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -24479,7 +25134,7 @@ search = | tstats `security_content_summariesonly` distinct_count(Processes.proc action.escu = 0 action.escu.enabled = 1 description = This detection targets behaviors observed in post exploit kits like Meterpreter and Koadic that are run in memory. We have observed that these tools must invoke an excessive number of taskhost.exe and taskhostex.exe processes to complete various actions (discovery, lateral movement, etc.). It is extremely uncommon in the course of normal operations to see so many distinct taskhost and taskhostex processes running concurrently in a short time frame. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This detection targets behaviors observed in post exploit kits like Meterpreter and Koadic that are run in memory. We have observed that these tools must invoke an excessive number of taskhost.exe and taskhostex.exe processes to complete various actions (discovery, lateral movement, etc.). It is extremely uncommon in the course of normal operations to see so many distinct taskhost and taskhostex processes running concurrently in a short time frame. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -24502,7 +25157,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excessive number of taskhost processes - Rule -action.correlationsearch.annotations = {"analytic_story": ["Meterpreter"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Meterpreter"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -24519,7 +25174,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process_id) action.escu = 0 action.escu.enabled = 1 description = This analytic identifies suspicious series of attempt to kill multiple services on a system using either `net.exe` or `sc.exe`. This technique is use by adversaries to terminate security services or other related services to continue there objective and evade detections. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies suspicious series of attempt to kill multiple services on a system using either `net.exe` or `sc.exe`. This technique is use by adversaries to terminate security services or other related services to continue there objective and evade detections. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -24542,7 +25197,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excessive Service Stop Attempt - Rule -action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Ransomware", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1489"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Ransomware", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -24559,7 +25214,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe` or `icacls.exe` application to change file or folder permission. This behavior is commonly seen where the adversary attempts to impair some users from deleting or accessing its malware components or artifact from the compromised system. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1222"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe` or `icacls.exe` application to change file or folder permission. This behavior is commonly seen where the adversary attempts to impair some users from deleting or accessing its malware components or artifact from the compromised system. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -24582,7 +25237,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excessive Usage Of Cacls App - Rule -action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Azorult", "Windows Post-Exploitation", "Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1222"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Azorult", "Windows Post-Exploitation", "Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -24599,7 +25254,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as action.escu = 0 action.escu.enabled = 1 description = This analytic identifies excessive usage of `net.exe` or `net1.exe` within a bucket of time (1 minute). This behavior was seen in a Monero incident where the adversary attempts to create many users, delete and disable users as part of its malicious behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1531"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies excessive usage of `net.exe` or `net1.exe` within a bucket of time (1 minute). This behavior was seen in a Monero incident where the adversary attempts to create many users, delete and disable users as part of its malicious behavior. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -24622,7 +25277,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excessive Usage Of Net App - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware", "Graceful Wipe Out Attack", "XMRig", "Windows Post-Exploitation", "Azorult", "Ransomware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "mitre_attack": ["T1531"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware", "Graceful Wipe Out Attack", "XMRig", "Windows Post-Exploitation", "Azorult", "Ransomware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -24639,7 +25294,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as action.escu = 0 action.escu.enabled = 1 description = This search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type (TXT, A, AAAA) that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1048"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type (TXT, A, AAAA) that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of nslookup.exe may be used. @@ -24662,7 +25317,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excessive Usage of NSLOOKUP App - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious DNS Traffic", "Dynamic DNS", "Data Exfiltration", "Command And Control"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "mitre_attack": ["T1048"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious DNS Traffic", "Dynamic DNS", "Data Exfiltration", "Command And Control"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1048"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -24679,7 +25334,7 @@ search = `sysmon` EventCode = 1 process_name = "nslookup.exe" | bucket _time spa action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious excessive usage of sc.exe in a host machine. This technique was seen in several ransomware , xmrig and other malware to create, modify, delete or disable a service may related to security application or to gain privilege escalation. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a suspicious excessive usage of sc.exe in a host machine. This technique was seen in several ransomware , xmrig and other malware to create, modify, delete or disable a service may related to security application or to gain privilege escalation. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed taskkill.exe may be used. @@ -24702,7 +25357,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excessive Usage Of SC Service Utility - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Azorult"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Azorult"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -24719,7 +25374,7 @@ search = `sysmon` EventCode = 1 process_name = "sc.exe" | bucket _time span=15m action.escu = 0 action.escu.enabled = 1 description = This analytic identifies excessive usage of `taskkill.exe` application. This application is commonly used by adversaries to evade detections by killing security product processes or even other processes to evade detection. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies excessive usage of `taskkill.exe` application. This application is commonly used by adversaries to evade detections by killing security product processes or even other processes to evade detection. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -24734,7 +25389,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["XMRig", "Azorult", "CISA AA22-264A", "AgentTesla", "CISA AA22-277A", "NjRAT"] action.risk = 1 action.risk.param._risk_message = Excessive usage of taskkill.exe with process id $process_id$ (more than 10 within 1m) has been detected on $dest$ with a parent process of $parent_process_name$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 28}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 28}, {"threat_object_field": "parent_process_name", "threat_object_type": "process name"}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 28}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 28}, {"threat_object_field": "parent_process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -24742,7 +25397,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excessive Usage Of Taskkill - Rule -action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Azorult", "CISA AA22-264A", "AgentTesla", "CISA AA22-277A", "NjRAT"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Azorult", "CISA AA22-264A", "AgentTesla", "CISA AA22-277A", "NjRAT"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -24763,7 +25418,7 @@ Modification of this analytic is requried to ensure fields are mapped accordingl A suspicious event will have `PowerShell`, the method `POST` and `autodiscover.json`. This is indicative of accessing PowerShell on the back end of Exchange with SSRF. \ An event will look similar to `POST /autodiscover/autodiscover.json a=dsxvu@fnsso.flq/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3d...` (abbreviated) \ Review the source attempting to perform this activity against your environment. In addition, review PowerShell logs and access recently granted to Exchange roles. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies suspicious behavior related to ProxyShell against on-premise Microsoft Exchange servers. This analytic has been replaced by GUID d436f9e7-0ee7-4a47-864b-6dea2c4e2752 which utilizes the Web Datamodel. \ Modification of this analytic is requried to ensure fields are mapped accordingly. \ @@ -24790,7 +25445,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Exchange PowerShell Abuse via SSRF - Rule -action.correlationsearch.annotations = {"analytic_story": ["ProxyShell", "BlackByte Ransomware", "ProxyNotShell"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["ProxyShell", "BlackByte Ransomware", "ProxyNotShell"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -24821,7 +25476,7 @@ Inherently, the usage of the modules is not malicious, but reviewing parallel pr Module - New-MailboxExportRequest will begin the process of exporting contents of a primary mailbox or archive to a .pst file. \ Module - New-managementroleassignment can assign a management role to a management role group, management role assignment policy, user, or universal security group (USG). \ Module - New-MailboxSearch cmdlet to create a mailbox search and either get an estimate of search results, place search results on In-Place Hold or copy them to a Discovery mailbox. You can also place all contents in a mailbox on hold by not specifying a search query, which accomplishes similar results as Litigation Hold. \ Module - Get-Recipient cmdlet to view existing recipient objects in your organization. This cmdlet returns all mail-enabled objects (for example, mailboxes, mail users, mail contacts, and distribution groups). -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the usage of Exchange PowerShell modules that were recently used for a proof of concept related to ProxyShell. Adversaries may abuse a limited set of PwSh Modules related to Exchange once gained access via ProxyShell or ProxyNotShell.\ Inherently, the usage of the modules is not malicious, but reviewing parallel processes, and user, of the session will assist with determining the intent. \ @@ -24848,7 +25503,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Exchange PowerShell Module Usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["ProxyNotShell", "CISA AA22-277A", "ProxyShell", "BlackByte Ransomware", "CISA AA22-264A"], "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["ProxyNotShell", "CISA AA22-277A", "ProxyShell", "BlackByte Ransomware", "CISA AA22-264A"], "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -24875,13 +25530,13 @@ search = `powershell` EventCode=4104 ScriptBlockText IN ("*New-MailboxExportRequ action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The Trickbot malware family also implements this behavior to try to infect other machines in the infected network. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The Trickbot malware family also implements this behavior to try to infect other machines in the infected network. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy. action.escu.known_false_positives = System Administrators may use looks like PsExec for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list. -action.escu.creation_date = 2023-06-13 -action.escu.modification_date = 2023-06-13 +action.escu.creation_date = 2024-02-14 +action.escu.modification_date = 2024-02-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Executable File Written in Administrative SMB Share - Rule action.escu.search_type = detection @@ -24889,7 +25544,7 @@ action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splun action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Lateral Movement", "Prestige Ransomware", "Graceful Wipe Out Attack", "Industroyer2", "IcedID", "Data Destruction", "Hermetic Wiper", "Trickbot"] action.risk = 1 -action.risk.param._risk_message = $user$ dropped or created an executable file in known sensitive SMB share. Share name=$ShareName$, Target name=$RelativeTargetName$, and Access mask=$AccessMask$ +action.risk.param._risk_message = $src_user$ dropped or created an executable file in known sensitive SMB share. Share name=$ShareName$, Target name=$RelativeTargetName$, and Access mask=$AccessMask$ action.risk.param._risk = [{"risk_object_field": "src_user", "risk_object_type": "user", "risk_score": 70}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 @@ -24898,7 +25553,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Executable File Written in Administrative SMB Share - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Prestige Ransomware", "Graceful Wipe Out Attack", "Industroyer2", "IcedID", "Data Destruction", "Hermetic Wiper", "Trickbot"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Prestige Ransomware", "Graceful Wipe Out Attack", "Industroyer2", "IcedID", "Data Destruction", "Hermetic Wiper", "Trickbot"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -24921,7 +25576,7 @@ search = `wineventlog_security` EventCode=5145 RelativeTargetName IN ("*.exe","* action.escu = 0 action.escu.enabled = 1 description = This analytic identifies potentially malicious executables or scripts by examining a list of suspicious file paths on Windows Operating System. The purpose of this technique is to uncover files with known file extensions that could be used by adversaries to evade detection and persistence. The suspicious file paths selected for investigation are typically uncommon and uncommonly associated with executable or script files. By scrutinizing these paths, we can proactively identify potential security threats and enhance overall system security. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies potentially malicious executables or scripts by examining a list of suspicious file paths on Windows Operating System. The purpose of this technique is to uncover files with known file extensions that could be used by adversaries to evade detection and persistence. The suspicious file paths selected for investigation are typically uncommon and uncommonly associated with executable or script files. By scrutinizing these paths, we can proactively identify potential security threats and enhance overall system security. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. @@ -24936,7 +25591,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["Double Zero Destructor", "Graceful Wipe Out Attack", "AsyncRAT", "WhisperGate", "DarkGate Malware", "AgentTesla", "Brute Ratel C4", "NjRAT", "RedLine Stealer", "Rhysida Ransomware", "Swift Slicer", "IcedID", "DarkCrystal RAT", "Chaos Ransomware", "PlugX", "Industroyer2", "Azorult", "Remcos", "XMRig", "Qakbot", "Volt Typhoon", "Hermetic Wiper", "Warzone RAT", "Trickbot", "Amadey", "BlackByte Ransomware", "LockBit Ransomware", "CISA AA23-347A", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = Suspicious executable or scripts with file name $file_name$, $file_path$ and process_id $process_id$ executed in suspicious file path in Windows by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 20}, {"threat_object_field": "file_name", "threat_object_type": "file name"}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 20}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -24944,7 +25599,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Executables Or Script Creation In Suspicious Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Double Zero Destructor", "Graceful Wipe Out Attack", "AsyncRAT", "WhisperGate", "DarkGate Malware", "AgentTesla", "Brute Ratel C4", "NjRAT", "RedLine Stealer", "Rhysida Ransomware", "Swift Slicer", "IcedID", "DarkCrystal RAT", "Chaos Ransomware", "PlugX", "Industroyer2", "Azorult", "Remcos", "XMRig", "Qakbot", "Volt Typhoon", "Hermetic Wiper", "Warzone RAT", "Trickbot", "Amadey", "BlackByte Ransomware", "LockBit Ransomware", "CISA AA23-347A", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "mitre_attack": ["T1036"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Double Zero Destructor", "Graceful Wipe Out Attack", "AsyncRAT", "WhisperGate", "DarkGate Malware", "AgentTesla", "Brute Ratel C4", "NjRAT", "RedLine Stealer", "Rhysida Ransomware", "Swift Slicer", "IcedID", "DarkCrystal RAT", "Chaos Ransomware", "PlugX", "Industroyer2", "Azorult", "Remcos", "XMRig", "Qakbot", "Volt Typhoon", "Hermetic Wiper", "Warzone RAT", "Trickbot", "Amadey", "BlackByte Ransomware", "LockBit Ransomware", "CISA AA23-347A", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -24961,7 +25616,7 @@ search = |tstats `security_content_summariesonly` values(Filesystem.file_path) a action.escu = 0 action.escu.enabled = 1 description = This analytic will identify suspicious process of cscript.exe where it tries to execute javascript using jscript.encode CLSID (COM OBJ). This technique was seen in ransomware (reddot ransomware) where it execute javascript with this com object with combination of amsi disabling technique. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.005"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic will identify suspicious process of cscript.exe where it tries to execute javascript using jscript.encode CLSID (COM OBJ). This technique was seen in ransomware (reddot ransomware) where it execute javascript with this com object with combination of amsi disabling technique. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -24976,7 +25631,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["Ransomware"] action.risk = 1 action.risk.param._risk_message = Suspicious process of cscript.exe with a parent process $parent_process_name$ where it tries to execute javascript using jscript.encode CLSID (COM OBJ), detected on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"threat_object_field": "parent_process_name", "threat_object_type": "process name"}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"threat_object_field": "parent_process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -24984,7 +25639,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Execute Javascript With Jscript COM CLSID - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "mitre_attack": ["T1059", "T1059.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -25007,7 +25662,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search looks for processes launched from files that have double extensions in the file name. This is typically done to obscure the "real" file extension and make it appear as though the file being accessed is a data file, as opposed to executable content. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1036", "T1036.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for processes launched from files that have double extensions in the file name. This is typically done to obscure the "real" file extension and make it appear as though the file being accessed is a data file, as opposed to executable content. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -25030,7 +25685,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Execution of File with Multiple Extensions - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows File Extension and Association Abuse", "Masquerading - Rename System Utilities", "AsyncRAT", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "mitre_attack": ["T1036", "T1036.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows File Extension and Association Abuse", "Masquerading - Rename System Utilities", "AsyncRAT", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -25053,7 +25708,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of `reg.exe` exporting Windows Registry hives containing credentials. Adversaries may use this technique to export registry hives for offline credential access attacks. Typically found executed from a untrusted process or script. Upon execution, a file will be written to disk. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of `reg.exe` exporting Windows Registry hives containing credentials. Adversaries may use this technique to export registry hives for offline credential access attacks. Typically found executed from a untrusted process or script. Upon execution, a file will be written to disk. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -25076,7 +25731,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Extraction of Registry Hives - Rule -action.correlationsearch.annotations = {"analytic_story": ["Volt Typhoon", "Credential Dumping", "CISA AA23-347A", "DarkSide Ransomware", "CISA AA22-257A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Volt Typhoon", "Credential Dumping", "CISA AA23-347A", "DarkSide Ransomware", "CISA AA22-257A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -25114,7 +25769,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["SamSam Ransomware"] action.risk = 1 action.risk.param._risk_message = File writes $file_name$ with extensions consistent with a SamSam ransomware attack seen on $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"threat_object_field": "file_name", "threat_object_type": "file name"}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 90}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 90}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -25145,7 +25800,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic detects a potential suspicious modification of firewall rule allowing to execute specific application. This technique was identified when an adversary and red teams to bypassed firewall file execution restriction in a targetted host. Take note that this event or command can run by administrator during testing or allowing legitimate tool or application. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects a potential suspicious modification of firewall rule allowing to execute specific application. This technique was identified when an adversary and red teams to bypassed firewall file execution restriction in a targetted host. Take note that this event or command can run by administrator during testing or allowing legitimate tool or application. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -25168,7 +25823,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Firewall Allowed Program Enable - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Azorult", "BlackByte Ransomware", "NjRAT", "PlugX"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Azorult", "BlackByte Ransomware", "NjRAT", "PlugX"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -25185,7 +25840,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for child processes spawned by zoom.exe or zoom.us that has not previously been seen. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1068"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for child processes spawned by zoom.exe or zoom.us that has not previously been seen. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -25200,7 +25855,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["Suspicious Zoom Child Processes"] action.risk = 1 action.risk.param._risk_message = Child process $process_name$ with $process_id$ spawned by zoom.exe or zoom.us which has not been previously on host $dest$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "process_name", "threat_object_type": "process name"}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -25208,7 +25863,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - First Time Seen Child Process of Zoom - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Zoom Child Processes"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1068"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Zoom Child Processes"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -25225,7 +25880,7 @@ search = | tstats `security_content_summariesonly` min(_time) as firstTime value action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for the first and last time a Windows service is seen running in your environment. This table is then cached. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search looks for the first and last time a Windows service is seen running in your environment. This table is then cached. action.escu.how_to_implement = While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows system event logs in order for this search to execute successfully. You should run the baseline search `Previously Seen Running Windows Services - Initial` to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search `Previously Seen Running Windows Services - Update` to keep this table up to date and to age out old Windows Services. Please update the `previously_seen_windows_services_window` macro to adjust the time window. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above. @@ -25248,7 +25903,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - First Time Seen Running Windows Service - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Service Abuse", "Orangeworm Attack Group", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Service Abuse", "Orangeworm Attack Group", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -25269,7 +25924,7 @@ description = Fodhelper.exe has a known UAC bypass as it attempts to look for sp 1. `HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute`\ 1. `HKCU:\Software\Classes\ms-settings\shell\open\command\(default)`\ Upon triage, fodhelper.exe will have a child process and read access will occur on the registry keys. Isolate the endpoint and review parallel processes for additional behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1112", "T1548.002", "T1548"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112", "T1548.002", "T1548"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Fodhelper.exe has a known UAC bypass as it attempts to look for specific registry keys upon execution, that do not exist. Therefore, an attacker can write its malicious commands in these registry keys to be executed by fodhelper.exe with the highest privilege. \ 1. `HKCU:\Software\Classes\ms-settings\shell\open\command`\ @@ -25288,7 +25943,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["Windows Defense Evasion Tactics", "IcedID"] action.risk = 1 action.risk.param._risk_message = Suspcious registy keys added by process fodhelper.exe (process_id- $process_id), with a parent_process of $parent_process_name$ that has been executed on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"threat_object_field": "parent_process_name", "threat_object_type": "process name"}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"threat_object_field": "parent_process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -25296,7 +25951,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - FodHelper UAC Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "IcedID"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "mitre_attack": ["T1112", "T1548.002", "T1548"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "IcedID"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112", "T1548.002", "T1548"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -25323,7 +25978,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious fsutil process to zeroing a target file. This technique was seen in lockbit ransomware where it tries to zero out its malware path as part of its defense evasion after encrypting the compromised host. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious fsutil process to zeroing a target file. This technique was seen in lockbit ransomware where it tries to zero out its malware path as part of its defense evasion after encrypting the compromised host. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -25346,7 +26001,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Fsutil Zeroing File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "LockBit Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "mitre_attack": ["T1070"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "LockBit Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -25369,7 +26024,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` executing the Get-ADDefaultDomainPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` executing the Get-ADDefaultDomainPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -25387,7 +26042,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get ADDefaultDomainPasswordPolicy with Powershell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1201"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -25404,7 +26059,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADDefaultDomainPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADDefaultDomainPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. @@ -25422,7 +26077,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get ADDefaultDomainPasswordPolicy with Powershell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1201"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -25439,7 +26094,7 @@ search = `powershell` EventCode=4104 ScriptBlockText ="*Get-ADDefaultDomainPassw action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. The `Get-AdUser' commandlet returns a list of all domain users. Red Teams and adversaries alike may use this commandlet to identify remote systems for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. The `Get-AdUser' commandlet returns a list of all domain users. Red Teams and adversaries alike may use this commandlet to identify remote systems for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -25457,7 +26112,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get ADUser with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -25474,7 +26129,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGUser` commandlet. The `Get-AdUser` commandlet is used to return a list of all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGUser` commandlet. The `Get-AdUser` commandlet is used to return a list of all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. @@ -25492,7 +26147,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get ADUser with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -25509,7 +26164,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = "*get-aduser*" ScriptBloc action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` executing the Get ADUserResultantPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` executing the Get ADUserResultantPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -25532,7 +26187,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1201"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -25555,7 +26210,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUserResultantPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUserResultantPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. @@ -25578,7 +26233,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1201"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -25601,7 +26256,7 @@ search = `powershell` EventCode=4104 ScriptBlockText="*Get-ADUserResultantPasswo action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` executing the `Get-DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` executing the `Get-DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -25624,7 +26279,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get DomainPolicy with Powershell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "mitre_attack": ["T1201"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -25647,7 +26302,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. @@ -25670,7 +26325,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get DomainPolicy with Powershell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "mitre_attack": ["T1201"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -25693,7 +26348,7 @@ search = `powershell` EventCode=4104 ScriptBlockText ="*Get-DomainPolicy*" | sta action.escu = 0 action.escu.enabled = 1 description = This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -25716,7 +26371,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get-DomainTrust with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "mitre_attack": ["T1482"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -25741,7 +26396,7 @@ action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. \ @@ -25766,7 +26421,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get-DomainTrust with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "mitre_attack": ["T1482"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -25791,7 +26446,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = "*get-domaintrust*" | sta action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -25814,7 +26469,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get DomainUser with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -25837,7 +26492,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet. `GetDomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet. `GetDomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. @@ -25860,7 +26515,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get DomainUser with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -25883,7 +26538,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = "*Get-DomainUser*" | stat action.escu = 0 action.escu.enabled = 1 description = This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -25906,7 +26561,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get-ForestTrust with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "mitre_attack": ["T1482"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -25931,7 +26586,7 @@ action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1482", "T1059.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1482", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. \ @@ -25956,7 +26611,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get-ForestTrust with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "mitre_attack": ["T1482", "T1059.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1482", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -25981,7 +26636,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = "*get-foresttrust*" | sta action.escu = 0 action.escu.enabled = 1 description = The following hunting analytic identifies the use of `Get-WMIObject Win32_Group` being used with PowerShell to identify local groups on the endpoint. \ Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ During triage, review parallel processes and identify any further suspicious behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following hunting analytic identifies the use of `Get-WMIObject Win32_Group` being used with PowerShell to identify local groups on the endpoint. \ Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ During triage, review parallel processes and identify any further suspicious behavior. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -25999,7 +26654,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get WMIObject Group Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -26018,7 +26673,7 @@ action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies the usage of `Get-WMIObject Win32_Group`, which is typically used as a way to identify groups on the endpoint. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies the usage of `Get-WMIObject Win32_Group`, which is typically used as a way to identify groups on the endpoint. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ @@ -26038,7 +26693,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Get WMIObject Group Discovery with Script Block Logging - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -26055,7 +26710,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = "*Get-WMIObject*" AND Scr action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-AdComputer' commandlet returns a list of all domain computers. Red Teams and adversaries alike may use this commandlet to identify remote systems for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-AdComputer' commandlet returns a list of all domain computers. Red Teams and adversaries alike may use this commandlet to identify remote systems for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -26073,7 +26728,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetAdComputer with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1018"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -26090,7 +26745,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -26108,7 +26763,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetAdComputer with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA22-320A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1018"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "CISA AA22-320A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -26125,7 +26780,7 @@ search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-AdComputer*") | st action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-AdGroup` commandlnet is used to return a list of all groups available in a Windows Domain. Red Teams and adversaries alike may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-AdGroup` commandlnet is used to return a list of all groups available in a Windows Domain. Red Teams and adversaries alike may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -26143,7 +26798,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetAdGroup with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -26160,7 +26815,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -26178,7 +26833,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetAdGroup with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -26195,7 +26850,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = "*Get-ADGroup*" | stats c action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powerhsell.exe` with command-line arguments that execute the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powerhsell.exe` with command-line arguments that execute the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -26213,7 +26868,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetCurrent User with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1033"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -26230,7 +26885,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -26248,7 +26903,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetCurrent User with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1033"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -26265,7 +26920,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = "*[System.Security.Princi action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -26288,7 +26943,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetDomainComputer with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -26311,7 +26966,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainComputer` commandlet. `GetDomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainComputer` commandlet. `GetDomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -26334,7 +26989,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetDomainComputer with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -26357,7 +27012,7 @@ search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*") action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -26375,7 +27030,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetDomainController with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "mitre_attack": ["T1018"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -26392,7 +27047,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainController` commandlet. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainController` commandlet. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -26415,7 +27070,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetDomainController with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -26438,7 +27093,7 @@ search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainController*" action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -26461,7 +27116,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetDomainGroup with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -26484,7 +27139,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroup` commandlet. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroup` is used to query domain groups. Red Teams and adversaries may leverage this function to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroup` commandlet. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroup` is used to query domain groups. Red Teams and adversaries may leverage this function to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -26507,7 +27162,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetDomainGroup with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -26530,7 +27185,7 @@ search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainGroup*") | s action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for local users. The `Get-LocalUser` commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for local users. The `Get-LocalUser` commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -26548,7 +27203,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetLocalUser with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -26565,7 +27220,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-LocalUser` commandlet. The `Get-LocalUser` commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-LocalUser` commandlet. The `Get-LocalUser` commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -26583,7 +27238,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetLocalUser with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -26600,7 +27255,7 @@ search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-LocalUser*") | sta action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line utilized to get a listing of network connections on a compromised system. The `Get-NetTcpConnection` commandlet lists the current TCP connections. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line utilized to get a listing of network connections on a compromised system. The `Get-NetTcpConnection` commandlet lists the current TCP connections. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -26618,7 +27273,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetNetTcpconnection with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1049"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -26635,7 +27290,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-NetTcpconnection ` commandlet. This commandlet is used to return a listing of network connections on a compromised system. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-NetTcpconnection ` commandlet. This commandlet is used to return a listing of network connections on a compromised system. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -26653,7 +27308,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetNetTcpconnection with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1049"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -26670,7 +27325,7 @@ search = `powershell` EventCode=4104 (ScriptBlockText = "*Get-NetTcpconnection*" action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-WmiObject` commandlet combined with the `DS_Computer` parameter can be used to return a list of all domain computers. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-WmiObject` commandlet combined with the `DS_Computer` parameter can be used to return a list of all domain computers. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -26693,7 +27348,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetWmiObject Ds Computer with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -26716,7 +27371,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_Computer` class parameter leverages WMI to query for all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_Computer` class parameter leverages WMI to query for all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -26739,7 +27394,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetWmiObject Ds Computer with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -26762,7 +27417,7 @@ search = `powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND Script action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-WmiObject` commandlet combined with the `-class ds_group` parameter can be used to return the full list of groups in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-WmiObject` commandlet combined with the `-class ds_group` parameter can be used to return the full list of groups in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -26785,7 +27440,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetWmiObject Ds Group with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -26808,7 +27463,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters . The `DS_Group` parameter leverages WMI to query for all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters . The `DS_Group` parameter leverages WMI to query for all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -26831,7 +27486,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetWmiObject Ds Group with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -26854,7 +27509,7 @@ search = `powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND Script action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain users. The `Get-WmiObject` commandlet combined with the `-class ds_user` parameter can be used to return the full list of users in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain users. The `Get-WmiObject` commandlet combined with the `-class ds_user` parameter can be used to return the full list of users in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -26877,7 +27532,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetWmiObject DS User with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -26900,7 +27555,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_User` class parameter leverages WMI to query for all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_User` class parameter leverages WMI to query for all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. @@ -26923,7 +27578,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetWmiObject DS User with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -26946,7 +27601,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = "*get-wmiobject*" ScriptB action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query local users. The `Get-WmiObject` commandlet combined with the `Win32_UserAccount` parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query local users. The `Get-WmiObject` commandlet combined with the `Win32_UserAccount` parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -26964,7 +27619,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetWmiObject User Account with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Winter Vivern", "Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Winter Vivern", "Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -26981,7 +27636,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters. The `Win32_UserAccount` parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters. The `Win32_UserAccount` parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -26999,7 +27654,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GetWmiObject User Account with PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Winter Vivern", "Active Directory Discovery", "Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Winter Vivern", "Active Directory Discovery", "Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -27016,7 +27671,7 @@ search = `powershell` EventCode=4104 (ScriptBlockText="*Get-WmiObject*" AND Scri action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies gpupdate.exe with no command line arguments and with a network connection. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint", "Network_Traffic"] action.escu.eli5 = The following analytic identifies gpupdate.exe with no command line arguments and with a network connection. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -27031,7 +27686,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = Process gpupdate.exe with parent_process $parent_process_name$ is executed on $dest$ by user $user$, followed by an outbound network connection to $C2$ on port $dest_port$. This behaviour is seen with cobaltstrike. -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"threat_object_field": "parent_process_name", "threat_object_type": "process name"}, {"risk_object_field": "C2", "risk_object_type": "system", "risk_score": 81}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"threat_object_field": "parent_process_name", "threat_object_type": "process"}, {"risk_object_field": "C2", "risk_object_type": "other", "risk_score": 81}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -27039,7 +27694,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GPUpdate with no Command Line Arguments with Network - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -27062,7 +27717,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies headless browser activity accessing mockbin.org or mocky.io. Mockbin.org and mocky.io are web services that allow users to mock HTTP requests and responses. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing and the presence of mockbin.org or mocky.io in the process. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1564.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies headless browser activity accessing mockbin.org or mocky.io. Mockbin.org and mocky.io are web services that allow users to mock HTTP requests and responses. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing and the presence of mockbin.org or mocky.io in the process. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. @@ -27085,7 +27740,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Headless Browser Mockbin or Mocky Request - Rule -action.correlationsearch.annotations = {"analytic_story": ["Forest Blizzard"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "mitre_attack": ["T1564.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Forest Blizzard"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -27108,7 +27763,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following hunting analytic is designed to detect the usage of headless browsers in an organization. Headless browsers are web browsers without a graphical user interface and are operated via a command line interface or network requests. They are often used for automating tasks but can also be utilized by adversaries for malicious activities such as web scraping, automated testing, and performing actions on web pages without detection. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1564.003"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following hunting analytic is designed to detect the usage of headless browsers in an organization. Headless browsers are web browsers without a graphical user interface and are operated via a command line interface or network requests. They are often used for automating tasks but can also be utilized by adversaries for malicious activities such as web scraping, automated testing, and performing actions on web pages without detection. The detection is based on the presence of "--headless" and "--disable-gpu" command line arguments which are commonly used in headless browsing. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. @@ -27126,7 +27781,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Headless Browser Usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["Forest Blizzard"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1564.003"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Forest Blizzard"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -27143,7 +27798,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic identifies a suspicious registry modification to hide a user account on the Windows Login screen. This technique was seen in some tradecraft where the adversary will create a hidden user account with Admin privileges in login screen to avoid noticing by the user that they already compromise and to persist on that said machine. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies a suspicious registry modification to hide a user account on the Windows Login screen. This technique was seen in some tradecraft where the adversary will create a hidden user account with Admin privileges in login screen to avoid noticing by the user that they already compromise and to persist on that said machine. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -27158,7 +27813,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["XMRig", "Windows Registry Abuse", "Azorult", "Warzone RAT"] action.risk = 1 action.risk.param._risk_message = Suspicious registry modification ($registry_value_name$) which is used go hide a user account on the Windows Login screen detected on $dest$ executed by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"threat_object_field": "registry_value_name", "threat_object_type": "other"}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "registry_value_name", "risk_object_type": "other", "risk_score": 72}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -27166,7 +27821,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Hide User Account From Sign-In Screen - Rule -action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Windows Registry Abuse", "Azorult", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Windows Registry Abuse", "Azorult", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -27189,7 +27844,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = Attackers leverage an existing Windows binary, attrib.exe, to mark specific as hidden by using specific flags so that the victim does not see the file. The search looks for specific command-line arguments to detect the use of attrib.exe to hide files. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1222", "T1222.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222", "T1222.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Attackers leverage an existing Windows binary, attrib.exe, to mark specific as hidden by using specific flags so that the victim does not see the file. The search looks for specific command-line arguments to detect the use of attrib.exe to hide files. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -27212,7 +27867,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Hiding Files And Directories With Attrib exe - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Persistence Techniques", "Azorult"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "mitre_attack": ["T1222", "T1222.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Persistence Techniques", "Azorult"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222", "T1222.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -27235,7 +27890,7 @@ search = | tstats `security_content_summariesonly` count min(_time) values(Proce action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious high frequency copying/moving of files in network share as part of information sabotage. This anomaly event can be a good indicator of insider trying to sabotage data by transfering classified or internal files within network share to exfitrate it after or to lure evidence of insider attack to other user. This behavior may catch several noise if network share is a common place for classified or internal document processing. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1537"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic is to detect a suspicious high frequency copying/moving of files in network share as part of information sabotage. This anomaly event can be a good indicator of insider trying to sabotage data by transfering classified or internal files within network share to exfitrate it after or to lure evidence of insider attack to other user. This behavior may catch several noise if network share is a common place for classified or internal document processing. action.escu.how_to_implement = o successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy. @@ -27258,7 +27913,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - High Frequency Copy Of Files In Network Share - Rule -action.correlationsearch.annotations = {"analytic_story": ["Information Sabotage", "Insider Threat"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1537"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Information Sabotage", "Insider Threat"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1537"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -27275,7 +27930,7 @@ search = `wineventlog_security` EventCode=5145 Relative_Target_Name IN ("*.doc", action.escu = 0 action.escu.enabled = 1 description = This analytic is designed to identify a high frequency of process termination events on a computer in a short period of time, which is a common behavior of ransomware malware before encrypting files. This technique is designed to avoid an exception error while accessing (docs, images, database and etc..) in the infected machine for encryption. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic is designed to identify a high frequency of process termination events on a computer in a short period of time, which is a common behavior of ransomware malware before encrypting files. This technique is designed to avoid an exception error while accessing (docs, images, database and etc..) in the infected machine for encryption. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the Image (process full path of terminated process) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -27298,7 +27953,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - High Process Termination Frequency - Rule -action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware", "LockBit Ransomware", "BlackByte Ransomware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "mitre_attack": ["T1486"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware", "LockBit Ransomware", "BlackByte Ransomware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -27315,7 +27970,7 @@ search = `sysmon` EventCode=5 |bin _time span=3s |stats values(Image) as proc_te action.escu = 0 action.escu.enabled = 1 description = The hunting analytic outlined below is designed to detect any version of the 3CXDesktopApp, also known as the 3CX Desktop App, operating on either Mac or Windows systems. It is important to note that this particular analytic employs the Endpoint datamodel Processes node, which means that the file version information is not provided. Recently, 3CX has identified a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1195.002"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The hunting analytic outlined below is designed to detect any version of the 3CXDesktopApp, also known as the 3CX Desktop App, operating on either Mac or Windows systems. It is important to note that this particular analytic employs the Endpoint datamodel Processes node, which means that the file version information is not provided. Recently, 3CX has identified a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -27333,7 +27988,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Hunting 3CXDesktopApp Software - Rule -action.correlationsearch.annotations = {"analytic_story": ["3CX Supply Chain Attack"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-29059"], "impact": 80, "mitre_attack": ["T1195.002"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["3CX Supply Chain Attack"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2023-29059"], "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1195.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -27350,7 +28005,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic identifies instances where an adversary modifies the security permissions of a particular file or directory. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The purpose of this behavior is to actively evade detection and impede access to their associated files. By identifying these security permission changes, we can enhance our ability to detect and respond to potential threats, mitigating the impact of malicious activities on the system. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies instances where an adversary modifies the security permissions of a particular file or directory. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The purpose of this behavior is to actively evade detection and impede access to their associated files. By identifying these security permission changes, we can enhance our ability to detect and respond to potential threats, mitigating the impact of malicious activities on the system. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -27373,7 +28028,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Icacls Deny Command - Rule -action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Azorult", "Sandworm Tools"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "mitre_attack": ["T1222"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Azorult", "Sandworm Tools"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -27396,7 +28051,7 @@ search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_ action.escu = 0 action.escu.enabled = 1 description = This analytic identifies adversaries who manipulate the security permissions of specific files or directories by granting additional access. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The objective behind this behavior is to actively evade detection mechanisms and tightly control access to their associated files. By identifying these security permission modifications, we can improve our ability to identify and respond to potential threats, thereby minimizing the impact of malicious activities on the system. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies adversaries who manipulate the security permissions of specific files or directories by granting additional access. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The objective behind this behavior is to actively evade detection mechanisms and tightly control access to their associated files. By identifying these security permission modifications, we can improve our ability to identify and respond to potential threats, thereby minimizing the impact of malicious activities on the system. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -27419,7 +28074,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - ICACLS Grant Command - Rule -action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1222"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -27442,7 +28097,7 @@ search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_ action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious file creation namely passff.tar and cookie.tar. This files are possible archived of stolen browser information like history and cookies in a compromised machine with IcedID. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a suspicious file creation namely passff.tar and cookie.tar. This files are possible archived of stolen browser information like history and cookies in a compromised machine with IcedID. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -27460,7 +28115,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - IcedID Exfiltrated Archived File Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["IcedID"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -27477,7 +28132,7 @@ search = `sysmon` EventCode= 11 (TargetFilename = "*\\passff.tar" OR TargetFile action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -27500,7 +28155,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Impacket Lateral Movement Commandline Parameters - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "WhisperGate", "Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "Industroyer2", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "WhisperGate", "Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "Industroyer2", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -27523,7 +28178,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic focuses on identifying suspicious command-line parameters commonly associated with the use of Impacket wmiexec.py. Impacket is a set of Python classes designed for working with Microsoft network protocols, and it includes several scripts like wmiexec.py, smbexec.py, dcomexec.py, and atexec.py that enable command execution on remote endpoints. These scripts typically utilize administrative shares and hardcoded parameters, which can serve as signatures to detect their usage. Both Red Teams and adversaries may employ Impacket tools for lateral movement and remote code execution purposes. By monitoring for these specific command-line indicators, the analytic aims to detect potentially malicious activities related to Impacket tool usage. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic focuses on identifying suspicious command-line parameters commonly associated with the use of Impacket wmiexec.py. Impacket is a set of Python classes designed for working with Microsoft network protocols, and it includes several scripts like wmiexec.py, smbexec.py, dcomexec.py, and atexec.py that enable command execution on remote endpoints. These scripts typically utilize administrative shares and hardcoded parameters, which can serve as signatures to detect their usage. Both Red Teams and adversaries may employ Impacket tools for lateral movement and remote code execution purposes. By monitoring for these specific command-line indicators, the analytic aims to detect potentially malicious activities related to Impacket tool usage. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -27546,7 +28201,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "WhisperGate", "Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "Industroyer2", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "WhisperGate", "Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "Industroyer2", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -27569,7 +28224,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -27592,7 +28247,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "WhisperGate", "Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "Industroyer2", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "WhisperGate", "Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "Industroyer2", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -27615,7 +28270,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the usage of the `Enter-PSSession`. This commandlet can be used to open an interactive session on a remote endpoint leveraging the WinRM protocol. Red Teams and adversaries alike may abuse WinRM and `Enter-PSSession` for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the usage of the `Enter-PSSession`. This commandlet can be used to open an interactive session on a remote endpoint leveraging the WinRM protocol. Red Teams and adversaries alike may abuse WinRM and `Enter-PSSession` for lateral movement and remote code execution. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -27638,7 +28293,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Interactive Session on Remote Endpoint with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -27661,7 +28316,7 @@ search = `powershell` EventCode=4104 (ScriptBlockText="*Enter-PSSession*" AND Sc action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a Java user agent performing a GET request for a .class file from the remote site. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} action.escu.data_models = ["Web"] action.escu.eli5 = The following analytic identifies a Java user agent performing a GET request for a .class file from the remote site. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). action.escu.how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. @@ -27684,7 +28339,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Java Class File download by Java User Agent - Rule -action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228"], "cis20": ["CIS 13"], "confidence": 50, "cve": ["CVE-2021-44228"], "impact": 80, "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228"], "cis20": ["CIS 13"], "confidence": 50, "cve": ["CVE-2021-44228"], "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -27707,7 +28362,7 @@ search = | tstats count from datamodel=Web where Web.http_user_agent="*Java*" We action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the process java writing a .jsp to disk. This is potentially indicative of a web shell being written to disk. Modify and tune the analytic based on data ingested. For instance, it may be worth running a broad query for jsp file writes first before performing a join. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the process java writing a .jsp to disk. This is potentially indicative of a web shell being written to disk. Modify and tune the analytic based on data ingested. For instance, it may be worth running a broad query for jsp file writes first before performing a join. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. @@ -27730,7 +28385,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Java Writing JSP File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spring4Shell CVE-2022-22965", "Atlassian Confluence Server and Data Center CVE-2022-26134", "SysAid On-Prem Software CVE-2023-47246 Vulnerability"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2022-22965"], "impact": 60, "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spring4Shell CVE-2022-22965", "Atlassian Confluence Server and Data Center CVE-2022-26134", "SysAid On-Prem Software CVE-2023-47246 Vulnerability"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2022-22965"], "impact": 60, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -27753,7 +28408,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This search is to detect a execution of jscript using cscript process. Commonly when a user run jscript file it was executed by wscript.exe application. This technique was seen in FIN7 js implant to execute its malicious script using cscript process. This behavior is uncommon and a good artifacts to check further anomalies within the network -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a execution of jscript using cscript process. Commonly when a user run jscript file it was executed by wscript.exe application. This technique was seen in FIN7 js implant to execute its malicious script using cscript process. This behavior is uncommon and a good artifacts to check further anomalies within the network action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -27776,7 +28431,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Jscript Execution Using Cscript App - Rule -action.correlationsearch.annotations = {"analytic_story": ["FIN7", "Remcos"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["FIN7", "Remcos"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -27799,7 +28454,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain. This analytic looks for a specific combination of the Ticket_Options field based on common kerberoasting tools. Defenders should be aware that it may be possible for a Kerberoast attack to use different Ticket_Options. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain. This analytic looks for a specific combination of the Ticket_Options field based on common kerberoasting tools. Defenders should be aware that it may be possible for a Kerberoast attack to use different Ticket_Options. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. @@ -27822,7 +28477,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kerberoasting spn request with RC4 encryption - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation", "Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation", "Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -27845,7 +28500,7 @@ search = `wineventlog_security` EventCode=4769 Service_Name!="*$" (Ticket_Option action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages Windows Security Event 4738, `A user account was changed`, to identify a change performed on a domain user object that disables Kerberos Pre-Authentication. Disabling the Pre Authentication flag in the UserAccountControl property allows an adversary to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] action.escu.eli5 = The following analytic leverages Windows Security Event 4738, `A user account was changed`, to identify a change performed on a domain user object that disables Kerberos Pre-Authentication. Disabling the Pre Authentication flag in the UserAccountControl property allows an adversary to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `User Account Management` within `Account Management` needs to be enabled. @@ -27868,7 +28523,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kerberos Pre-Authentication Flag Disabled in UserAccountControl - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -27891,7 +28546,7 @@ search = `wineventlog_security` EventCode=4738 MSADChangedAttributes="*Don't Re action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Set-ADAccountControl` commandlet with specific parameters. `Set-ADAccountControl` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Set-ADAccountControl` is used to modify User Account Control values for an Active Directory domain account. With the appropiate parameters, Set-ADAccountControl allows adversaries to disable Kerberos Pre-Authentication for an account to to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Set-ADAccountControl` commandlet with specific parameters. `Set-ADAccountControl` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Set-ADAccountControl` is used to modify User Account Control values for an Active Directory domain account. With the appropiate parameters, Set-ADAccountControl allows adversaries to disable Kerberos Pre-Authentication for an account to to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -27914,7 +28569,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kerberos Pre-Authentication Flag Disabled with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -27937,7 +28592,7 @@ search = `powershell` EventCode=4104 (ScriptBlockText = "*Set-ADAccountControl*" action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential Kerberos Service Ticket request related to a Golden Ticket attack. Adversaries who have obtained the Krbtgt account NTLM password hash may forge a Kerberos Granting Ticket (TGT) to obtain unrestricted access to an Active Directory environment. Armed with a Golden Ticket, attackers can request service tickets to move laterally and execute code on remote systems. Looking for Kerberos Service Ticket requests using the legacy RC4 encryption mechanism could represent the second stage of a Golden Ticket attack. RC4 usage should be rare on a modern network since Windows Vista & Windows Sever 2008 and newer support AES Kerberos encryption.\ Defenders should note that if an attacker does not leverage the NTLM password hash but rather the AES key to create a golden ticket, this detection may be bypassed. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1558", "T1558.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential Kerberos Service Ticket request related to a Golden Ticket attack. Adversaries who have obtained the Krbtgt account NTLM password hash may forge a Kerberos Granting Ticket (TGT) to obtain unrestricted access to an Active Directory environment. Armed with a Golden Ticket, attackers can request service tickets to move laterally and execute code on remote systems. Looking for Kerberos Service Ticket requests using the legacy RC4 encryption mechanism could represent the second stage of a Golden Ticket attack. RC4 usage should be rare on a modern network since Windows Vista & Windows Sever 2008 and newer support AES Kerberos encryption.\ Defenders should note that if an attacker does not leverage the NTLM password hash but rather the AES key to create a golden ticket, this detection may be bypassed. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. @@ -27960,7 +28615,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "mitre_attack": ["T1558", "T1558.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -27983,7 +28638,7 @@ search = `wineventlog_security` EventCode=4769 Service_Name="*$" (Ticket_Option action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages Event 4768, A Kerberos authentication ticket (TGT) was requested, to identify a TGT request with encryption type 0x17, or RC4-HMAC. This encryption type is no longer utilized by newer systems and could represent evidence of an OverPass The Hash attack. Similar to Pass The Hash, OverPass The Hash is a form of credential theft that allows adversaries to move laterally or consume resources in a target network. Leveraging this attack, an adversary who has stolen the NTLM hash of a valid domain account is able to authenticate to the Kerberos Distribution Center(KDC) on behalf of the legitimate account and obtain a Kerberos TGT ticket. Depending on the privileges of the compromised account, this ticket may be used to obtain unauthorized access to systems and other network resources. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1550"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic leverages Event 4768, A Kerberos authentication ticket (TGT) was requested, to identify a TGT request with encryption type 0x17, or RC4-HMAC. This encryption type is no longer utilized by newer systems and could represent evidence of an OverPass The Hash attack. Similar to Pass The Hash, OverPass The Hash is a form of credential theft that allows adversaries to move laterally or consume resources in a target network. Leveraging this attack, an adversary who has stolen the NTLM hash of a valid domain account is able to authenticate to the Kerberos Distribution Center(KDC) on behalf of the legitimate account and obtain a Kerberos TGT ticket. Depending on the privileges of the compromised account, this ticket may be used to obtain unauthorized access to systems and other network resources. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. @@ -28006,7 +28661,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kerberos TGT Request Using RC4 Encryption - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1550"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -28029,7 +28684,7 @@ search = `wineventlog_security` EventCode=4768 Ticket_Encryption_Type=0x17 Acco action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages Event Id 4768, A Kerberos authentication ticket (TGT) was requested, to identify one source endpoint trying to obtain an unusual number Kerberos TGT ticket for non existing users. This behavior could represent an adversary abusing the Kerberos protocol to perform a user enumeration attack against an Active Directory environment. When Kerberos is sent a TGT request with no preauthentication for an invalid username, it responds with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN or 0x6. Red teams and adversaries alike may abuse the Kerberos protocol to validate a list of users use them to perform further attacks.\ The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number requests. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1589", "T1589.002"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1589", "T1589.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic leverages Event Id 4768, A Kerberos authentication ticket (TGT) was requested, to identify one source endpoint trying to obtain an unusual number Kerberos TGT ticket for non existing users. This behavior could represent an adversary abusing the Kerberos protocol to perform a user enumeration attack against an Active Directory environment. When Kerberos is sent a TGT request with no preauthentication for an invalid username, it responds with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN or 0x6. Red teams and adversaries alike may abuse the Kerberos protocol to validate a list of users use them to perform further attacks.\ The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number requests. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. @@ -28052,7 +28707,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Kerberos User Enumeration - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "mitre_attack": ["T1589", "T1589.002"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1589", "T1589.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -28069,7 +28724,7 @@ search = `wineventlog_security` EventCode=4768 Result_Code=0x6 Account_Name!="* action.escu = 0 action.escu.enabled = 1 description = This search detects a suspicioous termination of known services killed by ransomware before encrypting files in a compromised machine. This technique is commonly seen in most of ransomware now a days to avoid exception error while accessing the targetted files it wants to encrypts because of the open handle of those services to the targetted file. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search detects a suspicioous termination of known services killed by ransomware before encrypting files in a compromised machine. This technique is commonly seen in most of ransomware now a days to avoid exception error while accessing the targetted files it wants to encrypts because of the open handle of those services to the targetted file. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the 7036 EventCode ScManager in System audit Logs from your endpoints. @@ -28092,7 +28747,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Known Services Killed by Ransomware - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "BlackMatter Ransomware", "LockBit Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "BlackMatter Ransomware", "LockBit Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -28115,7 +28770,7 @@ search = `wineventlog_system` EventCode=7036 Message IN ("*Volume Shadow Copy*", action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a deletion of ssh key in a linux machine. attacker may delete or modify ssh key to impair some security features or act as defense evasion in compromised linux machine. This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a deletion of ssh key in a linux machine. attacker may delete or modify ssh key to impair some security features or act as defense evasion in compromised linux machine. This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. @@ -28138,7 +28793,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Account Manipulation Of SSH Config and Keys - Rule -action.correlationsearch.annotations = {"analytic_story": ["Acidrain"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Acidrain"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -28155,7 +28810,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic aims to detect unauthorized activities through suspicious file creation in recognized cron table directories, prevalent Unix-based locations for scheduling tasks. This behavior is often exploited by nefarious entities like malware or threat actors, including red teamers, to establish persistence on a targeted or compromised host. The analogy to Windows-based scheduled tasks helps explain the utility of a crontab or cron job. To enhance clarity and actionable intelligence, the anomaly query flags the anomaly, urging further investigation into the added file's details. A cybersecurity analyst should consider additional data points such as the user identity involved, the file's nature and purpose, file origin, timestamp, and any changes in system behavior post file execution. This comprehensive understanding aids in accurately determining the file's legitimacy, facilitating prompt and effective response actions. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic aims to detect unauthorized activities through suspicious file creation in recognized cron table directories, prevalent Unix-based locations for scheduling tasks. This behavior is often exploited by nefarious entities like malware or threat actors, including red teamers, to establish persistence on a targeted or compromised host. The analogy to Windows-based scheduled tasks helps explain the utility of a crontab or cron job. To enhance clarity and actionable intelligence, the anomaly query flags the anomaly, urging further investigation into the added file's details. A cybersecurity analyst should consider additional data points such as the user identity involved, the file's nature and purpose, file origin, timestamp, and any changes in system behavior post file execution. This comprehensive understanding aids in accurately determining the file's legitimacy, facilitating prompt and effective response actions. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. @@ -28178,7 +28833,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Add Files In Known Crontab Directories - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -28195,7 +28850,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for commands to create user accounts on the linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to persist on the targeted or compromised host by creating new user with an elevated privilege. This Hunting query may catch normal creation of user by administrator so filter is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for commands to create user accounts on the linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to persist on the targeted or compromised host by creating new user with an elevated privilege. This Hunting query may catch normal creation of user by administrator so filter is needed. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -28213,7 +28868,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Add User Account - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -28230,7 +28885,7 @@ search = | tstats `security_content_summariesonly` count from datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. This command line parameter can be abused by malware like Industroyer2, as well as adversaries and red teamers, to add a crontab entry for executing their malicious code on a schedule of their choice. However, it's important to note that administrators or normal users may also use this command for legitimate automation purposes, so filtering is required to minimize false positives. Identifying the modification of cron jobs using list parameters is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is detected, further investigation should be conducted to analyze the added cron job, its associated command, and the impact it may have on the system. This includes examining the purpose of the job, reviewing any on-disk artifacts, and identifying any related processes or activities occurring concurrently. The impact of a true positive can range from unauthorized execution of malicious code to data destruction or other damaging outcomes. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. This command line parameter can be abused by malware like Industroyer2, as well as adversaries and red teamers, to add a crontab entry for executing their malicious code on a schedule of their choice. However, it's important to note that administrators or normal users may also use this command for legitimate automation purposes, so filtering is required to minimize false positives. Identifying the modification of cron jobs using list parameters is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is detected, further investigation should be conducted to analyze the added cron job, its associated command, and the impact it may have on the system. This includes examining the purpose of the job, reviewing any on-disk artifacts, and identifying any related processes or activities occurring concurrently. The impact of a true positive can range from unauthorized execution of malicious code to data destruction or other damaging outcomes. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -28248,7 +28903,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Adding Crontab Using List Parameter - Rule -action.correlationsearch.annotations = {"analytic_story": ["Industroyer2", "Linux Privilege Escalation", "Linux Living Off The Land", "Data Destruction", "Linux Persistence Techniques", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Industroyer2", "Linux Privilege Escalation", "Linux Living Off The Land", "Data Destruction", "Linux Persistence Techniques", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -28265,7 +28920,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The apt-get is a command line tool for interacting with the Advanced Package Tool (APT) library (a package management system for Linux distributions). It allows you to search for, install, manage, update, and remove software. The tool does not build software from the source code. If sudo right is given to the tool for user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The apt-get is a command line tool for interacting with the Advanced Package Tool (APT) library (a package management system for Linux distributions). It allows you to search for, install, manage, update, and remove software. The tool does not build software from the source code. If sudo right is given to the tool for user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -28288,7 +28943,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux apt-get Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -28305,7 +28960,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = Advanced Package Tool, more commonly known as APT, is a collection of tools used to install, update, remove, and otherwise manage software packages on Debian and its derivative operating systems, including Ubuntu and Linux Mint. If sudo right is given to the tool for user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Advanced Package Tool, more commonly known as APT, is a collection of tools used to install, update, remove, and otherwise manage software packages on Debian and its derivative operating systems, including Ubuntu and Linux Mint. If sudo right is given to the tool for user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -28328,7 +28983,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux APT Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -28346,7 +29001,7 @@ action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of suspicious configuration files, /etc/at.allow or /etc/at.deny, in Linux. These files are commonly abused by malware, adversaries, or red teamers to establish persistence on compromised hosts. The configuration files determine which users are allowed to execute the "at" application, which is used for scheduling tasks in Linux. Attackers can add their user or a compromised username to these files to execute malicious code using "at." It's important to consider potential false positives as administrators or network operators may create these files for legitimate automation purposes. Adjust the filter macros to minimize false positives.\ Identifying the creation of these configuration files is valuable for a SOC as it indicates potential unauthorized activities or an attacker attempting to establish persistence. If a true positive is found, further investigation is necessary to examine the contents of the created configuration file and determine the source of creation. The impact of a true positive can vary but could result in unauthorized execution of malicious code, data theft, or other detrimental consequences. Analysts should review the file path, creation time, and associated processes to assess the extent of the attack and initiate appropriate response actions. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the creation of suspicious configuration files, /etc/at.allow or /etc/at.deny, in Linux. These files are commonly abused by malware, adversaries, or red teamers to establish persistence on compromised hosts. The configuration files determine which users are allowed to execute the "at" application, which is used for scheduling tasks in Linux. Attackers can add their user or a compromised username to these files to execute malicious code using "at." It's important to consider potential false positives as administrators or network operators may create these files for legitimate automation purposes. Adjust the filter macros to minimize false positives.\ Identifying the creation of these configuration files is valuable for a SOC as it indicates potential unauthorized activities or an attacker attempting to establish persistence. If a true positive is found, further investigation is necessary to examine the contents of the created configuration file and determine the source of creation. The impact of a true positive can vary but could result in unauthorized execution of malicious code, data theft, or other detrimental consequences. Analysts should review the file path, creation time, and associated processes to assess the extent of the attack and initiate appropriate response actions. @@ -28370,7 +29025,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux At Allow Config File Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -28389,7 +29044,7 @@ action.escu.enabled = 1 description = The following analytic detects the execution of the "At" application in Linux, which can be used by attackers to create persistence entries on a compromised host. The "At" application can be used for automation purposes by administrators or network operators, so the filter macros should be updated to remove false positives. If a true positive is found, it suggests an attacker is trying to maintain access to the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the required fields from your endpoints into the Endpoint datamodel. When a true positive is detected, it suggests that an attacker is attempting to establish persistence or deliver additional malicious payloads by leveraging the "At" application. This behavior can lead to data theft, ransomware attacks, or other damaging outcomes.\ During triage, the SOC analyst should review the context surrounding the execution of the "At" application. This includes identifying the user, the parent process responsible for invoking the application, and the specific command-line arguments used. It is important to consider whether the execution is expected behavior by an administrator or network operator for legitimate automation purposes.\ The presence of "At" application execution may indicate an attacker's attempt to maintain unauthorized access to the environment. Immediate investigation and response are necessary to mitigate further risks, identify the attacker's intentions, and prevent potential harm to the organization. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the execution of the "At" application in Linux, which can be used by attackers to create persistence entries on a compromised host. The "At" application can be used for automation purposes by administrators or network operators, so the filter macros should be updated to remove false positives. If a true positive is found, it suggests an attacker is trying to maintain access to the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the required fields from your endpoints into the Endpoint datamodel. When a true positive is detected, it suggests that an attacker is attempting to establish persistence or deliver additional malicious payloads by leveraging the "At" application. This behavior can lead to data theft, ransomware attacks, or other damaging outcomes.\ During triage, the SOC analyst should review the context surrounding the execution of the "At" application. This includes identifying the user, the parent process responsible for invoking the application, and the specific command-line arguments used. It is important to consider whether the execution is expected behavior by an administrator or network operator for legitimate automation purposes.\ @@ -28414,7 +29069,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux At Application Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -28431,7 +29086,7 @@ search = | tstats `security_content_summariesonly` count from datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = Awk is mostly used for processing and scanning patterns. It checks one or more files to determine whether any lines fit the specified patterns, and if so, it does the appropriate action. If sudo right is given to AWK binary for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Awk is mostly used for processing and scanning patterns. It checks one or more files to determine whether any lines fit the specified patterns, and if so, it does the appropriate action. If sudo right is given to AWK binary for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -28454,7 +29109,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux AWK Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -28471,7 +29126,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides minimalist replacements for most of the utilities you usually find in GNU coreutils, util-linux, etc. If sudo right is given to BusyBox application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides minimalist replacements for most of the utilities you usually find in GNU coreutils, util-linux, etc. If sudo right is given to BusyBox application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -28494,7 +29149,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Busybox Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -28511,7 +29166,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The c89 and cc commands compile, assemble, and link-edit C programs; the cxx or c++ command does the same for C++ programs. The c89 command should be used when compiling C programs that are written according to Standard C. If sudo right is given to c89 application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The c89 and cc commands compile, assemble, and link-edit C programs; the cxx or c++ command does the same for C++ programs. The c89 command should be used when compiling C programs that are written according to Standard C. If sudo right is given to c89 application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -28534,7 +29189,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux c89 Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -28551,7 +29206,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The c99 utility is an interface to the standard C compilation system; it shall accept source code conforming to the ISO C standard. The system conceptually consists of a compiler and link editor. If sudo right is given to ruby application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The c99 utility is an interface to the standard C compilation system; it shall accept source code conforming to the ISO C standard. The system conceptually consists of a compiler and link editor. If sudo right is given to ruby application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -28574,7 +29229,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux c99 Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -28591,7 +29246,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for a commandline that change the file owner to root using chown utility tool. This technique is commonly abuse by adversaries, malware author and red teamers to escalate privilege to the targeted or compromised host by changing the owner of their malicious file to root. This event is not so common in corporate network except from the administrator doing normal task that needs high privilege. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1222.002", "T1222"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222.002", "T1222"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for a commandline that change the file owner to root using chown utility tool. This technique is commonly abuse by adversaries, malware author and red teamers to escalate privilege to the targeted or compromised host by changing the owner of their malicious file to root. This event is not so common in corporate network except from the administrator doing normal task that needs high privilege. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -28614,7 +29269,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Change File Owner To Root - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1222.002", "T1222"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222.002", "T1222"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -28631,7 +29286,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of Linux Xclip copying data out of the clipboard. Adversaries have utilized this technique to capture passwords, IP addresses, or store payloads. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1115"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1115"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of Linux Xclip copying data out of the clipboard. Adversaries have utilized this technique to capture passwords, IP addresses, or store payloads. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -28654,7 +29309,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Clipboard Data Copy - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "mitre_attack": ["T1115"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1115"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -28671,7 +29326,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to look for possible elevation control access using a common known process in linux platform to change the attribute and file ownership. This technique is commonly abused by adversaries, malware author and red teamers to gain persistence or privilege escalation on the target or compromised host. This common process is used to modify file attribute, file ownership or SUID. This tools can be used in legitimate purposes so filter is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to look for possible elevation control access using a common known process in linux platform to change the attribute and file ownership. This technique is commonly abused by adversaries, malware author and red teamers to gain persistence or privilege escalation on the target or compromised host. This common process is used to modify file attribute, file ownership or SUID. This tools can be used in legitimate purposes so filter is needed. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -28689,7 +29344,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Common Process For Elevation Control - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -28706,7 +29361,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = Composer is a tool for dependency management in PHP. It allows you to declare the libraries your project depends on and it will manage (install/update) them for you. If sudo right is given to tool for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Composer is a tool for dependency management in PHP. It allows you to declare the libraries your project depends on and it will manage (install/update) them for you. If sudo right is given to tool for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -28729,7 +29384,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Composer Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -28746,7 +29401,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = cpulimit is a simple program which attempts to limit the cpu usage of a process (expressed in percentage, not in cpu time). This is useful to control batch jobs, when you don't want them to eat too much cpu. If sudo right is given to the program for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = cpulimit is a simple program which attempts to limit the cpu usage of a process (expressed in percentage, not in cpu time). This is useful to control batch jobs, when you don't want them to eat too much cpu. If sudo right is given to the program for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -28769,7 +29424,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Cpulimit Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -28786,7 +29441,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = csvtool is an easy to use command-line tool to work with .CSV files. If sudo right is given to the tool for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = csvtool is an easy to use command-line tool to work with .CSV files. If sudo right is given to the tool for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -28809,7 +29464,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Csvtool Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -28826,7 +29481,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies curl being utilized with the -F or --form, --upload-file, -T, -d, --data, --data-raw, -I and --head switches to upload AWS credentials or config to a remote destination. This enables uploading of binary files and so forth. To force the 'content' part to be a file, prefix the file name with an @ sign. To just get the content part from a file, prefix the file name with the symbol <. The difference between @ and < is then that @ makes a file get attached in the post as a file upload, while the < makes a text field and just get the contents for that text field from a file. This technique was utlized by the TeamTNT group to exfiltrate AWS credentials. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies curl being utilized with the -F or --form, --upload-file, -T, -d, --data, --data-raw, -I and --head switches to upload AWS credentials or config to a remote destination. This enables uploading of binary files and so forth. To force the 'content' part to be a file, prefix the file name with an @ sign. To just get the content part from a file, prefix the file name with the symbol <. The difference between @ and < is then that @ makes a file get attached in the post as a file upload, while the < makes a text field and just get the contents for that text field from a file. This technique was utlized by the TeamTNT group to exfiltrate AWS credentials. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -28849,7 +29504,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Curl Upload File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Data Exfiltration", "Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Data Exfiltration", "Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -28872,7 +29527,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a unix shell command that can wipe root folders of a linux host. This commandline is being abused by Awfulshred malware that wipes or corrupts files in a targeted Linux host. The shell command uses the rm command with force recursive deletion even in the root folder. This TTP can be a good indicator that a user or a process wants to wipe roots directory files in Linux host. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a unix shell command that can wipe root folders of a linux host. This commandline is being abused by Awfulshred malware that wipes or corrupts files in a targeted Linux host. The shell command uses the rm command with force recursive deletion even in the root folder. This TTP can be a good indicator that a user or a process wants to wipe roots directory files in Linux host. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -28895,7 +29550,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Data Destruction Command - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "mitre_attack": ["T1485"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -28918,7 +29573,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to look for dd command to overwrite file. This technique was abused by adversaries or threat actor to destroy files or data on specific system or in a large number of host within network to interrupt host avilability, services and many more. This is also used to destroy data where it make the file irrecoverable by forensic techniques through overwriting files, data or local and remote drives. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to look for dd command to overwrite file. This technique was abused by adversaries or threat actor to destroy files or data on specific system or in a large number of host within network to interrupt host avilability, services and many more. This is also used to destroy data where it make the file irrecoverable by forensic techniques through overwriting files, data or local and remote drives. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -28941,7 +29596,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux DD File Overwrite - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1485"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -28964,7 +29619,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the behavior of decoding base64-encoded data and passing it to a Linux shell. Additionally, it mitigates the potential damage and protects the organization's systems and data.The detection is made by searching for specific commands in the Splunk query, namely "base64 -d" and "base64 --decode", within the Endpoint.Processes data model. The analytic also includes a filter for Linux shells. The detection is important because it indicates the presence of malicious activity since Base64 encoding is commonly used to obfuscate malicious commands or payloads, and decoding it can be a step in running those commands. It suggests that an attacker is attempting to run malicious commands on a Linux system to gain unauthorized access, for data exfiltration, or perform other malicious actions. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1027", "T1059.004"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1027", "T1059.004"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the behavior of decoding base64-encoded data and passing it to a Linux shell. Additionally, it mitigates the potential damage and protects the organization's systems and data.The detection is made by searching for specific commands in the Splunk query, namely "base64 -d" and "base64 --decode", within the Endpoint.Processes data model. The analytic also includes a filter for Linux shells. The detection is important because it indicates the presence of malicious activity since Base64 encoding is commonly used to obfuscate malicious commands or payloads, and decoding it can be a step in running those commands. It suggests that an attacker is attempting to run malicious commands on a Linux system to gain unauthorized access, for data exfiltration, or perform other malicious actions. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -28987,7 +29642,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Decode Base64 to Shell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1027", "T1059.004"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1027", "T1059.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -29010,7 +29665,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a suspicious deletion of a critical folder in Linux machine using rm command. This technique was seen in industroyer2 campaign to wipe or destroy energy facilities of a targeted sector. Deletion in these list of folder is not so common since it need some elevated privileges to access some of it. We recommend to look further events specially in file access or file deletion, process commandline that may related to this technique. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a suspicious deletion of a critical folder in Linux machine using rm command. This technique was seen in industroyer2 campaign to wipe or destroy energy facilities of a targeted sector. Deletion in these list of folder is not so common since it need some elevated privileges to access some of it. We recommend to look further events specially in file access or file deletion, process commandline that may related to this technique. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -29033,7 +29688,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Deleting Critical Directory Using RM Command - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1485"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -29056,7 +29711,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a deletion of cron job in a linux machine. This technique can be related to an attacker, threat actor or malware to disable scheduled cron jobs that might be related to security or to evade some detections. We also saw that this technique can be a good indicator for malware that is trying to wipe or delete several files on the compromised host like the acidrain malware. This anomaly detection can be a good pivot detection to look for process and user doing it why they doing. Take note that this event can be done by administrator so filtering on those possible false positive event is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a deletion of cron job in a linux machine. This technique can be related to an attacker, threat actor or malware to disable scheduled cron jobs that might be related to security or to evade some detections. We also saw that this technique can be a good indicator for malware that is trying to wipe or delete several files on the compromised host like the acidrain malware. This anomaly detection can be a good pivot detection to look for process and user doing it why they doing. Take note that this event can be done by administrator so filtering on those possible false positive event is needed. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. @@ -29071,7 +29726,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["AcidRain", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = Linux cron jobs are deleted on host $dest$ by process GUID- $process_guid$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"threat_object_field": "file_name", "threat_object_type": "file name"}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -29079,7 +29734,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Deletion Of Cron Jobs - Rule -action.correlationsearch.annotations = {"analytic_story": ["AcidRain", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AcidRain", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -29096,7 +29751,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a deletion of init daemon script in a linux machine. daemon script that place in /etc/init.d/ is a directory that can start and stop some daemon services in linux machines. attacker may delete or modify daemon script to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a deletion of init daemon script in a linux machine. daemon script that place in /etc/init.d/ is a directory that can start and stop some daemon services in linux machines. attacker may delete or modify daemon script to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. @@ -29111,7 +29766,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["AcidRain", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = Init daemon script deleted on host $dest$ by process GUID- $process_guid$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"threat_object_field": "file_name", "threat_object_type": "file name"}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -29119,7 +29774,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Deletion Of Init Daemon Script - Rule -action.correlationsearch.annotations = {"analytic_story": ["AcidRain", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AcidRain", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -29142,7 +29797,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a deletion of services in a linux machine. attacker may delete or modify services to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a deletion of services in a linux machine. attacker may delete or modify services to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. @@ -29157,7 +29812,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["AwfulShred", "AcidRain", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = A services file $file_name$ deteted on host $dest$ by process GUID - $process_guid$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "file_name", "threat_object_type": "file name"}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -29165,7 +29820,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Deletion Of Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "AcidRain", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "AcidRain", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -29188,7 +29843,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a deletion of ssl certificate in a linux machine. attacker may delete or modify ssl certificate to impair some security features or act as defense evasion in compromised linux machine. This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a deletion of ssl certificate in a linux machine. attacker may delete or modify ssl certificate to impair some security features or act as defense evasion in compromised linux machine. This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. @@ -29203,7 +29858,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["Acidrain"] action.risk = 1 action.risk.param._risk_message = SSL certificate deleted on host $dest$ by process GUID- $process_guid$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"threat_object_field": "file_name", "threat_object_type": "file name"}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -29211,7 +29866,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Deletion of SSL Certificate - Rule -action.correlationsearch.annotations = {"analytic_story": ["Acidrain"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Acidrain"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -29228,7 +29883,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic is to detect events that attempts to disable a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is to detect events that attempts to disable a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -29251,7 +29906,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Disable Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1489"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -29274,7 +29929,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect the creation of doas.conf file in linux host platform. This configuration file can be use by doas utility tool to allow or permit standard users to perform tasks as root, the same way sudo does. This tool is developed as a minimalistic alternative to sudo application. This tool can be abused advesaries, attacker or malware to gain elevated privileges to the targeted or compromised host. On the other hand this can also be executed by administrator for a certain task that needs admin rights. In this case filter is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect the creation of doas.conf file in linux host platform. This configuration file can be use by doas utility tool to allow or permit standard users to perform tasks as root, the same way sudo does. This tool is developed as a minimalistic alternative to sudo application. This tool can be abused advesaries, attacker or malware to gain elevated privileges to the targeted or compromised host. On the other hand this can also be executed by administrator for a certain task that needs admin rights. In this case filter is needed. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. @@ -29297,7 +29952,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Doas Conf File Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -29314,7 +29969,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does. This tool is developed as a minimalistic alternative to sudo application. This tool can be abused advesaries, attacker or malware to gain elevated privileges to the targeted or compromised host. On the other hand this can also be executed by administrator for a certain task that needs admin rights. In this case filter is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does. This tool is developed as a minimalistic alternative to sudo application. This tool can be abused advesaries, attacker or malware to gain elevated privileges to the targeted or compromised host. On the other hand this can also be executed by administrator for a certain task that needs admin rights. In this case filter is needed. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -29337,7 +29992,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Doas Tool Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -29354,7 +30009,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = Docker is an open source containerization platform. It helps programmers to bundle applications into containers, which are standardized executable parts that include the application source code along with the OS libraries and dependencies needed to run that code in any setting. The user can add mount the root directory into a container and edit the /etc/password file to add a super user. This requires the user to be privileged enough to run docker, i.e. being in the docker group or being root. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Docker is an open source containerization platform. It helps programmers to bundle applications into containers, which are standardized executable parts that include the application source code along with the OS libraries and dependencies needed to run that code in any setting. The user can add mount the root directory into a container and edit the /etc/password file to add a super user. This requires the user to be privileged enough to run docker, i.e. being in the docker group or being root. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -29377,7 +30032,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Docker Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -29397,7 +30052,7 @@ description = The following analytic detects the suspicious editing of cron jobs Recognizing such activity is vital for a SOC as cron job manipulations might signal unauthorized persistence attempts or scheduled malicious actions, potentially resulting in substantial harm. A true positive signifies an active threat, with implications ranging from unauthorized access to broader network compromise.\ To implement this analytic, logs capturing process name, parent process, and command-line executions from your endpoints must be ingested.\ Known false positives could stem from valid administrative tasks or automation processes using crontab. To reduce these, fine-tune the filter macros according to the benign activities within your environment. These adjustments ensure legitimate actions aren't mistaken for threats, allowing analysts to focus on genuine potential risks.\ -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the suspicious editing of cron jobs in Linux via the crontab command-line parameter. This tactic could be used by adversaries or malware to schedule execution of their malicious code, potentially leading to system compromise or unauthorized persistent access. It pinpoints this activity by monitoring command-line executions involving 'crontab' and the edit parameter (-e).\ Recognizing such activity is vital for a SOC as cron job manipulations might signal unauthorized persistence attempts or scheduled malicious actions, potentially resulting in substantial harm. A true positive signifies an active threat, with implications ranging from unauthorized access to broader network compromise.\ @@ -29418,7 +30073,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Edit Cron Table Parameter - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -29435,7 +30090,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = EMACS is a family of text editors that are characterized by their extensibility. The manual for the most widely used variant, GNU Emacs, describes it as "the extensible, customizable, self-documenting, real-time display editor". If sudo right is given to EMACS tool for the user, then the user can run special commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = EMACS is a family of text editors that are characterized by their extensibility. The manual for the most widely used variant, GNU Emacs, describes it as "the extensible, customizable, self-documenting, real-time display editor". If sudo right is given to EMACS tool for the user, then the user can run special commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -29458,7 +30113,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Emacs Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -29475,7 +30130,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for suspicious file creation in kernel/driver directory in linux platform. This directory is known folder for all linux kernel module available within the system. so creation of file in this directory is a good indicator that there is a possible rootkit installation in the host machine. This technique was abuse by adversaries, malware author and red teamers to gain high privileges to their malicious code such us in kernel level. Even this event is not so common administrator or legitimate 3rd party tool may install driver or linux kernel module as part of its installation. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for suspicious file creation in kernel/driver directory in linux platform. This directory is known folder for all linux kernel module available within the system. so creation of file in this directory is a good indicator that there is a possible rootkit installation in the host machine. This technique was abuse by adversaries, malware author and red teamers to gain high privileges to their malicious code such us in kernel level. Even this event is not so common administrator or legitimate 3rd party tool may install driver or linux kernel module as part of its installation. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. @@ -29498,7 +30153,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux File Created In Kernel Driver Directory - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Rootkit"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Rootkit"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -29515,7 +30170,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for suspicious file creation on init system directories for automatic execution of script or file upon boot up. This technique is commonly abuse by adversaries, malware author and red teamer to persist on the targeted or compromised host. This behavior can be executed or use by an administrator or network operator to add script files or binary files as part of a task or automation. filter is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1037.004", "T1037"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1037.004", "T1037"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for suspicious file creation on init system directories for automatic execution of script or file upon boot up. This technique is commonly abuse by adversaries, malware author and red teamer to persist on the targeted or compromised host. This behavior can be executed or use by an administrator or network operator to add script files or binary files as part of a task or automation. filter is needed. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase @@ -29538,7 +30193,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux File Creation In Init Boot Directory - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1037.004", "T1037"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1037.004", "T1037"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -29555,7 +30210,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for suspicious file creation in /etc/profile.d directory to automatically execute scripts by shell upon boot up of a linux machine. This technique is commonly abused by adversaries, malware and red teamers as a persistence mechanism to the targeted or compromised host. This Anomaly detection is a good indicator that someone wants to run a code after boot up which can be done also by the administrator or network operator for automation purposes. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.004", "T1546"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.004", "T1546"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for suspicious file creation in /etc/profile.d directory to automatically execute scripts by shell upon boot up of a linux machine. This technique is commonly abused by adversaries, malware and red teamers as a persistence mechanism to the targeted or compromised host. This Anomaly detection is a good indicator that someone wants to run a code after boot up which can be done also by the administrator or network operator for automation purposes. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. @@ -29578,7 +30233,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux File Creation In Profile Directory - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1546.004", "T1546"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.004", "T1546"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -29595,7 +30250,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = Find is a command-line utility that locates files based on some user-specified criteria and either prints the pathname of each matched object or, if another action is requested, performs that action on each matched object. If sudo right is given to find utility for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Find is a command-line utility that locates files based on some user-specified criteria and either prints the pathname of each matched object or, if another action is requested, performs that action on each matched object. If sudo right is given to find utility for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -29618,7 +30273,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Find Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -29635,7 +30290,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = GDB is the acronym for GNU Debugger. This tool helps to debug the programs written in C, C++, Ada, Fortran, etc. The console can be opened using the gdb command on terminal. If sudo right is given to GDB tool for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = GDB is the acronym for GNU Debugger. This tool helps to debug the programs written in C, C++, Ada, Fortran, etc. The console can be opened using the gdb command on terminal. If sudo right is given to GDB tool for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -29658,7 +30313,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux GDB Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -29675,7 +30330,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = RubyGems is a package manager for the Ruby programming language that provides a standard format for distributing Ruby programs and libraries (in a self-contained format called a "gem"), a tool designed to easily manage the installation of gems, and a server for distributing them. If sudo right is given to GEM utility for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = RubyGems is a package manager for the Ruby programming language that provides a standard format for distributing Ruby programs and libraries (in a self-contained format called a "gem"), a tool designed to easily manage the installation of gems, and a server for distributing them. If sudo right is given to GEM utility for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -29698,7 +30353,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Gem Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -29715,7 +30370,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = gawk command in Linux is used for pattern scanning and processing language. The awk command requires no compiling and allows the user to use variables, numeric functions, string functions, and logical operators. It is a utility that enables programmers to write tiny and effective programs in the form of statements that define text patterns that are to be searched for, in a text document and the action that is to be taken when a match is found within a line. If sudo right is given to gawk tool for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = gawk command in Linux is used for pattern scanning and processing language. The awk command requires no compiling and allows the user to use variables, numeric functions, string functions, and logical operators. It is a utility that enables programmers to write tiny and effective programs in the form of statements that define text patterns that are to be searched for, in a text document and the action that is to be taken when a match is found within a line. If sudo right is given to gawk tool for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -29738,7 +30393,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux GNU Awk Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -29755,7 +30410,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for process execution to disable the swapping of paging devices. This technique was seen in Awfulshred malware that disables the swapping of the specified devices and files. This anomaly detection can be a good indicator that a process or a user tries to disable this Linux feature in a targeted host. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1200"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1200"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for process execution to disable the swapping of paging devices. This technique was seen in Awfulshred malware that disables the swapping of the specified devices and files. This anomaly detection can be a good indicator that a process or a user tries to disable this Linux feature in a targeted host. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -29778,7 +30433,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Hardware Addition SwapOff - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1200"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1200"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -29795,7 +30450,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a high frequency of file deletion relative to process name and process id /boot/ folder. These events was seen in industroyer2 wiper malware where it tries to delete all files in a critical directory in linux directory. This detection already contains some filter that might cause false positive during our testing. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a high frequency of file deletion relative to process name and process id /boot/ folder. These events was seen in industroyer2 wiper malware where it tries to delete all files in a critical directory in linux directory. This detection already contains some filter that might cause false positive during our testing. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. @@ -29818,7 +30473,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -29841,7 +30496,7 @@ search = | tstats `security_content_summariesonly` values(Filesystem.file_name) action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a high frequency of file deletion relative to process name and process id /etc/ folder. These events was seen in acidrain wiper malware where it tries to delete all files in a non-standard directory in linux directory. This detection already contains some filter that might cause false positive during our testing. But we recommend to add more filter if needed. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a high frequency of file deletion relative to process name and process id /etc/ folder. These events was seen in acidrain wiper malware where it tries to delete all files in a non-standard directory in linux directory. This detection already contains some filter that might cause false positive during our testing. But we recommend to add more filter if needed. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. @@ -29864,7 +30519,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule -action.correlationsearch.annotations = {"analytic_story": ["AcidRain", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AcidRain", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -29881,7 +30536,7 @@ search = | tstats `security_content_summariesonly` values(Filesystem.file_name) action.escu = 0 action.escu.enabled = 1 description = This analytic looks for PKILL process execution for possible termination of process. This technique is being used by several Threat actors, adversaries and red teamers to terminate processes in a targeted linux machine. This Hunting detection can be a good pivot to check a possible defense evasion technique or termination of security application in a linux host or wiper like Awfulshred that corrupt all files. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for PKILL process execution for possible termination of process. This technique is being used by several Threat actors, adversaries and red teamers to terminate processes in a targeted linux machine. This Hunting detection can be a good pivot to check a possible defense evasion technique or termination of security application in a linux host or wiper like Awfulshred that corrupt all files. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -29899,7 +30554,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Impair Defenses Process Kill - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -29916,7 +30571,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for processes that clear or free page cache in Linux system host. This technique was seen in Awfulshred malware wiper that tries to clear the cache using kernel system request drop_caches while wiping all files in the targeted host. This TTP detection can be a good indicator of user or process tries to clear page cache to delete tracks or might be a wiper like Awfulshred. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for processes that clear or free page cache in Linux system host. This technique was seen in Awfulshred malware wiper that tries to clear the cache using kernel system request drop_caches while wiping all files in the targeted host. This TTP detection can be a good indicator of user or process tries to clear page cache to delete tracks or might be a wiper like Awfulshred. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -29939,7 +30594,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Indicator Removal Clear Cache - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1070"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -29962,7 +30617,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for suspicious linux processes that delete service unit configuration files. This technique was seen in several malware to delete service configuration files to corrupt a services or security product as part of its defense evasion. This TTP detection can be a good indicator of possible malware try to kill several services or a wiper like AwfulShred shell script that wipes the targeted linux host -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for suspicious linux processes that delete service unit configuration files. This technique was seen in several malware to delete service configuration files to corrupt a services or security product as part of its defense evasion. This TTP detection can be a good indicator of possible malware try to kill several services or a wiper like AwfulShred shell script that wipes the targeted linux host action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -29985,7 +30640,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Indicator Removal Service File Deletion - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30002,7 +30657,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic hunts for curl and wget being utilized in the environment. This is meant to help with identifying normal usage and potentially malicious. Utilize this query to tune other curl and wget analytics. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic hunts for curl and wget being utilized in the environment. This is meant to help with identifying normal usage and potentially malicious. Utilize this query to tune other curl and wget analytics. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -30020,7 +30675,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Ingress Tool Transfer Hunting - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 10, "impact": 10, "mitre_attack": ["T1105"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 10, "impact": 10, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30037,7 +30692,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies curl with the command-line switches that are commonly used to download, output, a remote script or binary. MetaSploit Framework will combine the -sO switch with | chmod +x to enable a simple one liner to download and set the execute bit to run the file immediately. During triage, review the remote domain and file being downloaded for legitimacy. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies curl with the command-line switches that are commonly used to download, output, a remote script or binary. MetaSploit Framework will combine the -sO switch with | chmod +x to enable a simple one liner to download and set the execute bit to run the file immediately. During triage, review the remote domain and file being downloaded for legitimacy. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -30060,7 +30715,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Ingress Tool Transfer with Curl - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 30, "impact": 40, "mitre_attack": ["T1105"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 30, "impact": 40, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30077,7 +30732,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for inserting of linux kernel module using insmod utility function. This event can detect a installation of rootkit or malicious kernel module to gain elevated privileges to their malicious code and bypassed detections. This Anomaly detection is a good indicator that someone installing kernel module in a linux host either admin or adversaries. filter is needed in this scenario -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for inserting of linux kernel module using insmod utility function. This event can detect a installation of rootkit or malicious kernel module to gain elevated privileges to their malicious code and bypassed detections. This Anomaly detection is a good indicator that someone installing kernel module in a linux host either admin or adversaries. filter is needed in this scenario action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -30100,7 +30755,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Rootkit"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Rootkit"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30117,7 +30772,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for possible installing a linux kernel module using modprobe utility function. This event can detect a installation of rootkit or malicious kernel module to gain elevated privileges to their malicious code and bypassed detections. This Anomaly detection is a good indicator that someone installing kernel module in a linux host either admin or adversaries. filter is needed in this scenario -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for possible installing a linux kernel module using modprobe utility function. This event can detect a installation of rootkit or malicious kernel module to gain elevated privileges to their malicious code and bypassed detections. This Anomaly detection is a good indicator that someone installing kernel module in a linux host either admin or adversaries. filter is needed in this scenario action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -30140,7 +30795,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Rootkit"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Rootkit"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.006", "T1547"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30157,7 +30812,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for suspicious commandline that modify the iptables firewall setting of a linux machine. This technique was seen in cyclopsblink malware where it modifies the firewall setting of the compromised machine to allow traffic to its tcp port that will be used to communicate with its C2 server. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for suspicious commandline that modify the iptables firewall setting of a linux machine. This technique was seen in cyclopsblink malware where it modifies the firewall setting of the compromised machine to allow traffic to its tcp port that will be used to communicate with its C2 server. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -30180,7 +30835,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Iptables Firewall Modification - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sandworm Tools", "CyclopsBLink"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Sandworm Tools", "CyclopsBLink"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30197,7 +30852,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the process name of Java, Apache, or Tomcat spawning a Linux shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are "sh", "ksh", "zsh", "bash", "dash", "rbash", "fish", "csh', "tcsh', "ion", "eshell". Upon triage, review parallel processes and command-line arguments to determine legitimacy. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the process name of Java, Apache, or Tomcat spawning a Linux shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are "sh", "ksh", "zsh", "bash", "dash", "rbash", "fish", "csh', "tcsh', "ion", "eshell". Upon triage, review parallel processes and command-line arguments to determine legitimacy. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -30220,7 +30875,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Java Spawning Shell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Spring4Shell CVE-2022-22965", "Hermetic Wiper", "Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-44228"], "impact": 80, "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Spring4Shell CVE-2022-22965", "Hermetic Wiper", "Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-44228"], "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -30243,7 +30898,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the process kmod being utilized to list kernel modules in use. Typically, this is not seen as malicious, however it may be a precurser to the use of insmod to install a module. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1082", "T1014"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082", "T1014"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the process kmod being utilized to list kernel modules in use. Typically, this is not seen as malicious, however it may be a precurser to the use of insmod to install a module. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -30266,7 +30921,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Kernel Module Enumeration - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Rootkit"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1082", "T1014"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Rootkit"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082", "T1014"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30283,7 +30938,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for suspicious process kworker commandline in a linux machine. kworker process name or thread are common names of kernel threads in linux process. This hunting detections can lead to investigate process contains process path in writable directory in linux like /home/, /var/log and /tmp/. This technique was seen in cyclopsblink malware to blend its core and other of its child process as normal kworker on the compromised machine. This detection might be a good pivot to look for other IOC related to cyclopsblink malware or attacks. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1036.004", "T1036"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.004", "T1036"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for suspicious process kworker commandline in a linux machine. kworker process name or thread are common names of kernel threads in linux process. This hunting detections can lead to investigate process contains process path in writable directory in linux like /home/, /var/log and /tmp/. This technique was seen in cyclopsblink malware to blend its core and other of its child process as normal kworker on the compromised machine. This detection might be a good pivot to look for other IOC related to cyclopsblink malware or attacks. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -30301,7 +30956,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Kworker Process In Writable Process Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sandworm Tools", "CyclopsBLink"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1036.004", "T1036"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Sandworm Tools", "CyclopsBLink"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.004", "T1036"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30318,7 +30973,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The Linux make command is used to build and maintain groups of programs and files from the source code. In Linux, it is one of the most frequently used commands by the developers. It assists developers to install and compile many utilities from the terminal. If sudo right is given to make utility for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The Linux make command is used to build and maintain groups of programs and files from the source code. In Linux, it is one of the most frequently used commands by the developers. It assists developers to install and compile many utilities from the terminal. If sudo right is given to make utility for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -30341,7 +30996,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Make Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30358,7 +31013,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = MySQL is an open-source relational database management system. Its name is a combination of "My", the name of co-founder Michael Widenius's daughter My, and "SQL", the abbreviation for Structured Query Language. If sudo right is given to mysql utility for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = MySQL is an open-source relational database management system. Its name is a combination of "My", the name of co-founder Michael Widenius's daughter My, and "SQL", the abbreviation for Structured Query Language. If sudo right is given to mysql utility for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -30381,7 +31036,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux MySQL Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30398,7 +31053,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of Ngrok being utilized on the Linux operating system. Unfortunately, there is no original file name for Ngrok, so it may be worth an additional hunt to identify any command-line arguments. The sign of someone using Ngrok is not malicious, however, more recently it has become an adversary tool. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of Ngrok being utilized on the Linux operating system. Unfortunately, there is no original file name for Ngrok, so it may be worth an additional hunt to identify any command-line arguments. The sign of someone using Ngrok is not malicious, however, more recently it has become an adversary tool. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -30421,7 +31076,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Ngrok Reverse Proxy Usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["Reverse Network Proxy"], "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "mitre_attack": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Reverse Network Proxy"], "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30438,7 +31093,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = Node.js is a back-end JavaScript runtime environment that is open-source, cross-platform, runs on the V8 engine, and executes JavaScript code outside of a web browser. It was created to help create scalable network applications. If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Node.js is a back-end JavaScript runtime environment that is open-source, cross-platform, runs on the V8 engine, and executes JavaScript code outside of a web browser. It was created to help create scalable network applications. If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -30461,7 +31116,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Node Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30478,7 +31133,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to look for suspicious command lines that may add entry to /etc/sudoers with NOPASSWD attribute in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain elevated privilege to the targeted or compromised host. /etc/sudoers file controls who can run what commands users can execute on the machines and can also control whether user need a password to execute particular commands. This file is composed of aliases (basically variables) and user specifications. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to look for suspicious command lines that may add entry to /etc/sudoers with NOPASSWD attribute in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain elevated privilege to the targeted or compromised host. /etc/sudoers file controls who can run what commands users can execute on the machines and can also control whether user need a password to execute particular commands. This file is composed of aliases (basically variables) and user specifications. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -30501,7 +31156,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux NOPASSWD Entry In Sudoers File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30518,7 +31173,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of base64 decode on Linux being utilized to deobfuscate a file. Identify the source of the file and determine if legitimate. Review parallel processes for further behavior before and after. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1027"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of base64 decode on Linux being utilized to deobfuscate a file. Identify the source of the file and determine if legitimate. Review parallel processes for further behavior before and after. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -30541,7 +31196,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Obfuscated Files or Information Base64 Decode - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1027"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30558,7 +31213,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = GNU Octave is a high-level programming language primarily intended for scientific computing and numerical computation. Octave helps in solving linear and nonlinear problems numerically, and for performing other numerical experiments using a language that is mostly compatible with MATLAB. If sudo right is given to the application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = GNU Octave is a high-level programming language primarily intended for scientific computing and numerical computation. Octave helps in solving linear and nonlinear problems numerically, and for performing other numerical experiments using a language that is mostly compatible with MATLAB. If sudo right is given to the application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -30581,7 +31236,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Octave Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30598,7 +31253,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = OpenVPN is a virtual private network system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications. If sudo right is given to the OpenVPN application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = OpenVPN is a virtual private network system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications. If sudo right is given to the OpenVPN application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -30621,7 +31276,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux OpenVPN Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30638,7 +31293,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following correlation is specific to Linux persistence and privilege escalation tactics and is tied to two analytic stories and any Linux analytic tied to persistence and privilege escalation. These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Risk"] action.escu.eli5 = The following correlation is specific to Linux persistence and privilege escalation tactics and is tied to two analytic stories and any Linux analytic tied to persistence and privilege escalation. These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. action.escu.how_to_implement = Ensure Linux anomaly and TTP analytics are enabled. TTP may be set to Notables for point detections, anomaly should not be notables but risk generators. The correlation relies on more than x amount of distict detection names generated before generating a notable. Modify the value as needed. Default value is set to 4. This value may need to be increased based on activity in your environment. @@ -30656,7 +31311,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RIR - Linux Persistence and Privilege Escalation Risk Behavior - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -30679,7 +31334,7 @@ search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_ action.escu = 0 action.escu.enabled = 1 description = PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1994. The PHP reference implementation is now produced by The PHP Group. If sudo right is given to php application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1994. The PHP reference implementation is now produced by The PHP Group. If sudo right is given to php application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -30702,7 +31357,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux PHP Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30719,7 +31374,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies `pkexec` spawning with no command-line arguments. A vulnerability in Polkit's pkexec component identified as CVE-2021-4034 (PwnKit) which is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies `pkexec` spawning with no command-line arguments. A vulnerability in Polkit's pkexec component identified as CVE-2021-4034 (PwnKit) which is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -30742,7 +31397,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux pkexec Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-4034"], "impact": 80, "mitre_attack": ["T1068"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-4034"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -30765,7 +31420,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This analytic is to look for suspicious process command-line that might be accessing or modifying sshd_config. This file is the ssh configuration file that might be modify by threat actors or adversaries to redirect port connection, allow user using authorized key generated during attack. This anomaly detection might catch noise from administrator auditing or modifying ssh configuration file. In this scenario filter is needed -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to look for suspicious process command-line that might be accessing or modifying sshd_config. This file is the ssh configuration file that might be modify by threat actors or adversaries to redirect port connection, allow user using authorized key generated during attack. This anomaly detection might catch noise from administrator auditing or modifying ssh configuration file. In this scenario filter is needed action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -30788,7 +31443,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30805,7 +31460,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a possible attempt to dump or access the content of /etc/passwd and /etc/shadow to enable offline credential cracking. "etc/passwd" store user information within linux OS while "etc/shadow" contain the user passwords hash. Adversaries and threat actors may attempt to access this to gain persistence and/or privilege escalation. This anomaly detection can be a good indicator of possible credential dumping technique but it might catch some normal administrator automation scripts or during credential auditing. In this scenario filter is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.008", "T1003"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.008", "T1003"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a possible attempt to dump or access the content of /etc/passwd and /etc/shadow to enable offline credential cracking. "etc/passwd" store user information within linux OS while "etc/shadow" contain the user passwords hash. Adversaries and threat actors may attempt to access this to gain persistence and/or privilege escalation. This anomaly detection can be a good indicator of possible credential dumping technique but it might catch some normal administrator automation scripts or during credential auditing. In this scenario filter is needed. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -30828,7 +31483,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Possible Access To Credential Files - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1003.008", "T1003"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.008", "T1003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30845,7 +31500,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a possible access or modification of /etc/sudoers file. "/etc/sudoers" file controls who can run what command as what users on what machine and can also control whether a specific user need a password for particular commands. adversaries and threat actors abuse this file to gain persistence and/or privilege escalation during attack on targeted host. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a possible access or modification of /etc/sudoers file. "/etc/sudoers" file controls who can run what command as what users on what machine and can also control whether a specific user need a password for particular commands. adversaries and threat actors abuse this file to gain persistence and/or privilege escalation during attack on targeted host. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -30868,7 +31523,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Possible Access To Sudoers File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30886,7 +31541,7 @@ action.escu = 0 action.escu.enabled = 1 description = The following analytic is designed to identify suspicious command lines that may append user entries to either /etc/at.allow or /etc/at.deny. These files can be exploited by malicious actors for persistence on a compromised Linux host by altering permissions for scheduled tasks using the at command.\ In this context, an attacker can create a user or add an existing user to these configuration files to execute their malicious code through scheduled tasks. The detection of such anomalous behavior can serve as an effective indicator warranting further investigation to validate if the activity is indeed malicious or a false positive. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is designed to identify suspicious command lines that may append user entries to either /etc/at.allow or /etc/at.deny. These files can be exploited by malicious actors for persistence on a compromised Linux host by altering permissions for scheduled tasks using the at command.\ In this context, an attacker can create a user or add an existing user to these configuration files to execute their malicious code through scheduled tasks. The detection of such anomalous behavior can serve as an effective indicator warranting further investigation to validate if the activity is indeed malicious or a false positive. @@ -30910,7 +31565,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Possible Append Command To At Allow Config File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30927,7 +31582,7 @@ search = | tstats `security_content_summariesonly` count from datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This analytic looks for suspicious command-lines that can be possibly used to modify user profile files to automatically execute scripts/executables by shell upon reboot of the machine. This technique is commonly abused by adversaries, malware and red teamers as persistence mechanism to the targeted or compromised host. This Anomaly detection is a good indicator that someone wants to run code after reboot which can be done also by the administrator or network operator for automation purposes. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.004", "T1546"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.004", "T1546"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for suspicious command-lines that can be possibly used to modify user profile files to automatically execute scripts/executables by shell upon reboot of the machine. This technique is commonly abused by adversaries, malware and red teamers as persistence mechanism to the targeted or compromised host. This Anomaly detection is a good indicator that someone wants to run code after reboot which can be done also by the administrator or network operator for automation purposes. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -30950,7 +31605,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Possible Append Command To Profile Config File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1546.004", "T1546"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.004", "T1546"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30969,7 +31624,7 @@ action.escu.enabled = 1 description = The following analytic is designed to detect potential tampering with cronjob files on a Linux system. It specifically searches for command lines that may be used to append code to existing cronjob files, a technique often employed by adversaries, malware, and red teamers for persistence or privilege escalation. Altering existing or sometimes normal cronjob script files allows malicious code to be executed automatically.\ The analytic operates by monitoring logs for specific process names, parent processes, and command-line executions from your endpoints. It specifically checks for any 'echo' command which modifies files in directories commonly associated with cron jobs such as '/etc/cron*', '/var/spool/cron/', and '/etc/anacrontab'. If such activity is detected, an alert is triggered.\ This behavior is worth identifying for a SOC because malicious cron jobs can lead to system compromises and unauthorized data access, impacting business operations and data integrity. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is designed to detect potential tampering with cronjob files on a Linux system. It specifically searches for command lines that may be used to append code to existing cronjob files, a technique often employed by adversaries, malware, and red teamers for persistence or privilege escalation. Altering existing or sometimes normal cronjob script files allows malicious code to be executed automatically.\ The analytic operates by monitoring logs for specific process names, parent processes, and command-line executions from your endpoints. It specifically checks for any 'echo' command which modifies files in directories commonly associated with cron jobs such as '/etc/cron*', '/var/spool/cron/', and '/etc/anacrontab'. If such activity is detected, an alert is triggered.\ @@ -30989,7 +31644,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -31009,7 +31664,7 @@ description = The following analytic detects potential unauthorized modification In case of a true positive, the impact could be severe. An attacker with escalated privileges or persistent access could carry out damaging actions, such as data theft, sabotage, or further network penetration.\ To implement this analytic, ensure ingestion of logs tracking process name, parent process, and command-line executions from your endpoints. Utilize the Add-on for Linux Sysmon from Splunkbase if you're using Sysmon.\ Known false positives include legitimate administrative tasks, as these commands may also be used for benign purposes. Careful tuning and filtering based on known benign activity in your environment can minimize these instances. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects potential unauthorized modifications to Linux cronjobs using text editors like "nano", "vi" or "vim". It identifies this behavior by tracking command-line executions that interact with paths related to cronjob configuration, a common Linux scheduling utility. Cronjob files may be manipulated by attackers for privilege escalation or persistent access, making such changes critical to monitor.\ The identified behavior is significant for a Security Operations Center (SOC) as it could indicate an ongoing attempt at establishing persistent access or privilege escalation, leading to data breaches, system compromise, or other malicious activities.\ In case of a true positive, the impact could be severe. An attacker with escalated privileges or persistent access could carry out damaging actions, such as data theft, sabotage, or further network penetration.\ @@ -31030,7 +31685,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Possible Cronjob Modification With Editor - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 30, "impact": 20, "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 30, "impact": 20, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -31047,7 +31702,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to look for possible ssh key file creation on ~/.ssh/ folder. This technique is commonly abused by threat actors and adversaries to gain persistence and privilege escalation to the targeted host. by creating ssh private and public key and passing the public key to the attacker server. threat actor can access remotely the machine using openssh daemon service. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to look for possible ssh key file creation on ~/.ssh/ folder. This technique is commonly abused by threat actors and adversaries to gain persistence and privilege escalation to the targeted host. by creating ssh private and public key and passing the public key to the attacker server. threat actor can access remotely the machine using openssh daemon service. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. @@ -31070,7 +31725,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Possible Ssh Key File Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004", "T1098"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -31087,7 +31742,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious command that may hijack a library function in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain privileges and persist on the machine. This detection pertains to loading a dll to hijack or hook a library function of specific program using LD_PRELOAD command. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1574.006", "T1574"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.006", "T1574"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious command that may hijack a library function in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain privileges and persist on the machine. This detection pertains to loading a dll to hijack or hook a library function of specific program using LD_PRELOAD command. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -31110,7 +31765,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Preload Hijack Library Calls - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1574.006", "T1574"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.006", "T1574"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -31133,7 +31788,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies curl being utilized with a proxy based on command-line arguments - -x, socks, --preproxy and --proxy. This behavior is built into the MetaSploit Framework as a auxiliary module. What does socks buy an adversary? SOCKS4a extends the SOCKS4 protocol to allow a client to specify a destination domain name rather than an IP address. The SOCKS5 protocol is defined in RFC 1928. It is an incompatible extension of the SOCKS4 protocol; it offers more choices for authentication and adds support for IPv6 and UDP, the latter of which can be used for DNS lookups. The protocols, and a proxy itself, allow an adversary to evade controls in place monitoring traffic, making it harder for the defender to identify and track activity. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1090", "T1095"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1090", "T1095"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies curl being utilized with a proxy based on command-line arguments - -x, socks, --preproxy and --proxy. This behavior is built into the MetaSploit Framework as a auxiliary module. What does socks buy an adversary? SOCKS4a extends the SOCKS4 protocol to allow a client to specify a destination domain name rather than an IP address. The SOCKS5 protocol is defined in RFC 1928. It is an incompatible extension of the SOCKS4 protocol; it offers more choices for authentication and adds support for IPv6 and UDP, the latter of which can be used for DNS lookups. The protocols, and a proxy itself, allow an adversary to evade controls in place monitoring traffic, making it harder for the defender to identify and track activity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -31156,7 +31811,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Proxy Socks Curl - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1090", "T1095"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land", "Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1090", "T1095"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -31179,7 +31834,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = In computing, Puppet is a software configuration management tool which includes its own declarative language to describe system configuration. It is a model-driven solution that requires limited programming knowledge to use. If sudo right is given to the tool for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = In computing, Puppet is a software configuration management tool which includes its own declarative language to describe system configuration. It is a model-driven solution that requires limited programming knowledge to use. If sudo right is given to the tool for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -31202,7 +31857,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Puppet Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -31219,7 +31874,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = RPM Package Manager is a free and open-source package management system. The name RPM refers to the .rpm file format and the package manager program itself. RPM was intended primarily for Linux distributions; the file format is the baseline package format of the Linux Standard Base. If sudo right is given to rpm utility for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = RPM Package Manager is a free and open-source package management system. The name RPM refers to the .rpm file format and the package manager program itself. RPM was intended primarily for Linux distributions; the file format is the baseline package format of the Linux Standard Base. If sudo right is given to rpm utility for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -31242,7 +31897,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux RPM Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -31259,7 +31914,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = Ruby is one of the most used and easy to use programming languages. Ruby is an open-source, object-oriented interpreter that can be installed on a Linux system. If sudo right is given to ruby application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Ruby is one of the most used and easy to use programming languages. Ruby is an open-source, object-oriented interpreter that can be installed on a Linux system. If sudo right is given to ruby application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -31282,7 +31937,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Ruby Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -31300,7 +31955,7 @@ action.escu = 0 action.escu.enabled = 1 description = The following analytic is designed to detect suspicious file creation within the systemd timer directory on Linux platforms. Systemd is a system and service manager for Linux, similar to the combination of wininit.exe and services.exe on Windows. This process initializes a Linux system and starts defined services in unit files. Malicious actors, such as adversaries, malware, or red teamers, can exploit this feature by embedding a systemd service file for persistence on the targeted or compromised host.\ The analytic works by monitoring logs with file name, file path, and process GUID data from your endpoints. If a .service file is created in certain systemd directories, the analytic triggers an alert. This behavior is significant for a Security Operations Center (SOC) as it may indicate a persistent threat within the network, with a potential impact of system compromise or data exfiltration. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is designed to detect suspicious file creation within the systemd timer directory on Linux platforms. Systemd is a system and service manager for Linux, similar to the combination of wininit.exe and services.exe on Windows. This process initializes a Linux system and starts defined services in unit files. Malicious actors, such as adversaries, malware, or red teamers, can exploit this feature by embedding a systemd service file for persistence on the targeted or compromised host.\ The analytic works by monitoring logs with file name, file path, and process GUID data from your endpoints. If a .service file is created in certain systemd directories, the analytic triggers an alert. This behavior is significant for a Security Operations Center (SOC) as it may indicate a persistent threat within the network, with a potential impact of system compromise or data exfiltration. @@ -31324,7 +31979,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Service File Created In Systemd Directory - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -31343,7 +31998,7 @@ action.escu.enabled = 1 description = The following analytic detects the restarting or re-enabling of services in the Linux platform. It focuses on the use of the systemctl or service tools for executing these actions. Adversaries may leverage this technique to repeatedly execute malicious payloads as a form of persistence. Linux hosts typically start services during boot to perform background system functions. However, administrators may also create legitimate services for specific tools or applications as part of task automation. In such cases, it is recommended to verify the service path of the registered script or executable and identify the creator of the service for further validation.\ It's important to be aware that this analytic may generate false positives as administrators or network operators may use the same command-line for legitimate automation purposes. Filter macros should be updated accordingly to minimize false positives.\ Identifying restarted or re-enabled services is valuable for a SOC as it can indicate potential malicious activities attempting to maintain persistence or execute unauthorized actions on Linux systems. By detecting and investigating these events, security analysts can respond promptly to mitigate risks and prevent further compromise. The impact of a true positive can range from unauthorized access to data destruction or other damaging outcomes. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the restarting or re-enabling of services in the Linux platform. It focuses on the use of the systemctl or service tools for executing these actions. Adversaries may leverage this technique to repeatedly execute malicious payloads as a form of persistence. Linux hosts typically start services during boot to perform background system functions. However, administrators may also create legitimate services for specific tools or applications as part of task automation. In such cases, it is recommended to verify the service path of the registered script or executable and identify the creator of the service for further validation.\ It's important to be aware that this analytic may generate false positives as administrators or network operators may use the same command-line for legitimate automation purposes. Filter macros should be updated accordingly to minimize false positives.\ @@ -31368,7 +32023,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Service Restarted - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Linux Privilege Escalation", "Linux Living Off The Land", "Data Destruction", "Linux Persistence Techniques", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Linux Privilege Escalation", "Linux Living Off The Land", "Data Destruction", "Linux Persistence Techniques", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -31385,7 +32040,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation or enabling of services in Linux platforms, specifically using the systemctl or service tool application. This behavior is worth identifying as adversaries may create or modify services to execute malicious payloads as part of persistence. Legitimate services created by administrators for automation purposes may also trigger this analytic, so it is important to update the filter macros to remove false positives. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the process name, parent process, and command-line executions from your endpoints. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the creation or enabling of services in Linux platforms, specifically using the systemctl or service tool application. This behavior is worth identifying as adversaries may create or modify services to execute malicious payloads as part of persistence. Legitimate services created by administrators for automation purposes may also trigger this analytic, so it is important to update the filter macros to remove false positives. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the process name, parent process, and command-line executions from your endpoints. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -31408,7 +32063,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Service Started Or Enabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -31425,7 +32080,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for suspicious chmod utility execution to enable SUID bit. This allows a user to temporarily gain root access, usually in order to run a program. For example, only the root account is allowed to change the password information contained in the password database; If the SUID bit appears as an s, the file's owner also has execute permission to the file; if it appears as an S, the file's owner does not have execute permission. The second specialty permission is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily change group membership, usually to execute a program. The SGID bit is set if an s or an S appears in the group section of permissions. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for suspicious chmod utility execution to enable SUID bit. This allows a user to temporarily gain root access, usually in order to run a program. For example, only the root account is allowed to change the password information contained in the password database; If the SUID bit appears as an s, the file's owner also has execute permission to the file; if it appears as an S, the file's owner does not have execute permission. The second specialty permission is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily change group membership, usually to execute a program. The SGID bit is set if an s or an S appears in the group section of permissions. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -31448,7 +32103,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Setuid Using Chmod Utility - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -31465,7 +32120,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for suspicious setcap utility execution to enable SUID bit. This allows a user to temporarily gain root access, usually in order to run a program. For example, only the root account is allowed to change the password information contained in the password database; If the SUID bit appears as an s, the file's owner also has execute permission to the file; if it appears as an S, the file's owner does not have execute permission. The second specialty permission is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily change group membership, usually to execute a program. The SGID bit is set if an s or an S appears in the group section of permissions. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for suspicious setcap utility execution to enable SUID bit. This allows a user to temporarily gain root access, usually in order to run a program. For example, only the root account is allowed to change the password information contained in the password database; If the SUID bit appears as an s, the file's owner also has execute permission to the file; if it appears as an S, the file's owner does not have execute permission. The second specialty permission is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily change group membership, usually to execute a program. The SGID bit is set if an s or an S appears in the group section of permissions. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -31488,7 +32143,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Setuid Using Setcap Utility - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.001", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -31505,7 +32160,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a shred process to overwrite a files in a linux machine. Shred Linux application is designed to overwrite file to hide its contents or make the deleted file un-recoverable. Weve seen this technique in industroyer2 malware that tries to wipe energy facilities of targeted sector as part of its destructive attack. It might be some normal user may use this command for valid purposes but it is recommended to check what files, disk or folder it tries to shred that might be good pivot for incident response in this type of destructive malware. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a shred process to overwrite a files in a linux machine. Shred Linux application is designed to overwrite file to hide its contents or make the deleted file un-recoverable. Weve seen this technique in industroyer2 malware that tries to wipe energy facilities of targeted sector as part of its destructive attack. It might be some normal user may use this command for valid purposes but it is recommended to check what files, disk or folder it tries to shred that might be good pivot for incident response in this type of destructive malware. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -31528,7 +32183,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Shred Overwrite Command - Rule -action.correlationsearch.annotations = {"analytic_story": ["Industroyer2", "AwfulShred", "Linux Privilege Escalation", "Data Destruction", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1485"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Industroyer2", "AwfulShred", "Linux Privilege Escalation", "Data Destruction", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -31551,7 +32206,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = sqlite3 is a terminal-based front-end to the SQLite library that can evaluate queries interactively and display the results in multiple formats. sqlite3 can also be used within shell scripts and other applications to provide batch processing features. If sudo right is given to this application for the user, then the user can run system commands as root and possibly get a root shell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = sqlite3 is a terminal-based front-end to the SQLite library that can evaluate queries interactively and display the results in multiple formats. sqlite3 can also be used within shell scripts and other applications to provide batch processing features. If sudo right is given to this application for the user, then the user can run system commands as root and possibly get a root shell. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -31574,7 +32229,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Sqlite3 Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -31591,7 +32246,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies based on process execution the modification of SSH Authorized Keys. Adversaries perform this behavior to persist on endpoints. During triage, review parallel processes and capture any additional file modifications for review. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098.004"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies based on process execution the modification of SSH Authorized Keys. Adversaries perform this behavior to persist on endpoints. During triage, review parallel processes and capture any additional file modifications for review. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -31614,7 +32269,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux SSH Authorized Keys Modification - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1098.004"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098.004"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -31631,7 +32286,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies SSH being utilized to move laterally and execute a script or file on the remote host. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1021.004"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.004"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies SSH being utilized to move laterally and execute a script or file on the remote host. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -31654,7 +32309,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux SSH Remote Services Script Execute - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "mitre_attack": ["T1021.004"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -31677,7 +32332,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic looks for suspicious commandline that redirect the stdout or possible stderror to dev/null file. This technique was seen in cyclopsblink malware where it redirect the possible output or error while modify the iptables firewall setting of the compromised machine to hide its action from the user. This Anomaly detection is a good pivot to look further why process or user use this un common approach. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for suspicious commandline that redirect the stdout or possible stderror to dev/null file. This technique was seen in cyclopsblink malware where it redirect the possible output or error while modify the iptables firewall setting of the compromised machine to hide its action from the user. This Anomaly detection is a good pivot to look further why process or user use this un common approach. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -31700,7 +32355,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Linux Stdout Redirection To Dev Null File - Rule -action.correlationsearch.annotations = {"analytic_story": ["CyclopsBLink", "Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["CyclopsBLink", "Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -31717,7 +32372,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic is to detect events that attempt to stop or clear a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is to detect events that attempt to stop or clear a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -31740,7 +32395,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Stop Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1489"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -31763,7 +32418,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect the execution of sudo or su command in linux operating system. The "sudo" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect the execution of sudo or su command in linux operating system. The "sudo" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -31781,7 +32436,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Sudo OR Su Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -31798,7 +32453,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to looks for file creation of sudoers.tmp file cause by editing /etc/sudoers using visudo or editor in linux platform. This technique may abuse by adversaries, malware author and red teamers to gain elevated privilege to targeted or compromised host. /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what). -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to looks for file creation of sudoers.tmp file cause by editing /etc/sudoers using visudo or editor in linux platform. This technique may abuse by adversaries, malware author and red teamers to gain elevated privilege to targeted or compromised host. /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what). action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. @@ -31821,7 +32476,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Sudoers Tmp File Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -31838,7 +32493,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to look for possible enumeration of local network configuration. This technique is commonly used as part of recon of adversaries or threat actor to know some network information for its next or further attack. This anomaly detections may capture normal event made by administrator during auditing or testing network connection of specific host or network to network. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1016"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to look for possible enumeration of local network configuration. This technique is commonly used as part of recon of adversaries or threat actor to know some network information for its next or further attack. This anomaly detections may capture normal event made by administrator during auditing or testing network connection of specific host or network to network. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -31861,7 +32516,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux System Network Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Network Discovery", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1016"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Network Discovery", "Industroyer2"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -31878,7 +32533,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = This analytic is to look for possible execution of SysReq hack to reboot the Linux system host. This technique was seen in Awfulshred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can trigger reboot by piping out 'b' to /proc/sysrq-trigger after enabling all the functions of sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not a common way to reboot a system. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1529"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to look for possible execution of SysReq hack to reboot the Linux system host. This technique was seen in Awfulshred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can trigger reboot by piping out 'b' to /proc/sysrq-trigger after enabling all the functions of sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not a common way to reboot a system. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -31901,7 +32556,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux System Reboot Via System Request Key - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1529"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -31924,7 +32579,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to look for possible execution of SysReq hack to enable all functions of kernel system requests of the Linux system host. This technique was seen in AwfulShred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can be triggered by piping out bitmask '1' to /proc/sys/kernel/sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not so common shell commandline. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.004", "T1059"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004", "T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to look for possible execution of SysReq hack to enable all functions of kernel system requests of the Linux system host. This technique was seen in AwfulShred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can be triggered by piping out bitmask '1' to /proc/sys/kernel/sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not so common shell commandline. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -31947,7 +32602,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Unix Shell Enable All SysRq Functions - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1059.004", "T1059"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004", "T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -31964,7 +32619,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to looks for suspicious commandline that add entry to /etc/sudoers by using visudo utility tool in linux platform. This technique may abuse by adversaries, malware author and red teamers to gain elevated privilege to targeted or compromised host. /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what). -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to looks for suspicious commandline that add entry to /etc/sudoers by using visudo utility tool in linux platform. This technique may abuse by adversaries, malware author and red teamers to gain elevated privilege to targeted or compromised host. /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what). action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -31987,7 +32642,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Visudo Utility Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.003", "T1548"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -32004,7 +32659,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following correlation identifies a distinct amount of analytics associated with the Living Off The Land analytic story that identify potentially suspicious behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} action.escu.data_models = ["Risk"] action.escu.eli5 = The following correlation identifies a distinct amount of analytics associated with the Living Off The Land analytic story that identify potentially suspicious behavior. action.escu.how_to_implement = To implement this correlation search a user needs to enable all detections in the Living Off The Land Analytic Story and confirm it is generating risk events. A simple search `index=risk analyticstories="Living Off The Land"` should contain events. @@ -32022,7 +32677,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RIR - Living Off The Land - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Command and Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -32045,7 +32700,7 @@ search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_ action.escu = 0 action.escu.enabled = 1 description = DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, registering or loading dynwrapx.dll to a host is highly suspicious. In most instances when it is used maliciously, the best way to triage is to review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This detection will return and identify the processes that invoke vbs/wscript/cscript. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1055", "T1055.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055", "T1055.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, registering or loading dynwrapx.dll to a host is highly suspicious. In most instances when it is used maliciously, the best way to triage is to review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This detection will return and identify the processes that invoke vbs/wscript/cscript. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. @@ -32068,7 +32723,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Loading Of Dynwrapx Module - Rule -action.correlationsearch.annotations = {"analytic_story": ["Remcos", "AsyncRAT"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1055", "T1055.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Remcos", "AsyncRAT"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055", "T1055.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -32091,7 +32746,7 @@ search = `sysmon` EventCode=7 (ImageLoaded = "*\\dynwrapx.dll" OR OriginalFileNa action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for local users. The two arguments `user` and 'users', return a list of all local users. Red Teams and adversaries alike use net.exe to enumerate users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for local users. The two arguments `user` and 'users', return a list of all local users. Red Teams and adversaries alike use net.exe to enumerate users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -32109,7 +32764,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Local Account Discovery with Net - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Sandworm Tools"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Sandworm Tools"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -32126,7 +32781,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for local users. The argument `useraccount` is used to leverage WMI to return a list of all local users. Red Teams and adversaries alike use net.exe to enumerate users for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for local users. The argument `useraccount` is used to leverage WMI to return a list of all local users. Red Teams and adversaries alike use net.exe to enumerate users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -32144,7 +32799,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Local Account Discovery With Wmic - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -32161,7 +32816,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This correlation find exploitation of Log4Shell CVE-2021-44228 against systems using detections from Splunk Security Content Analytic Story. It does this by calculating the distinct count of MITRE ATT&CK tactics from Log4Shell detections fired. If the count is larger than 2 or more distinct MITRE ATT&CK tactics we assume high problability of exploitation. The Analytic story breaks down into 3 major phases of a Log4Shell exploitation, specifically> Initial Payload delivery eg. `${jndi:ldap://PAYLOAD_INJECTED}` Call back to malicious LDAP server eg. Exploit.class Post Exploitation Activity/Lateral Movement using Powershell or similar T1562.001 Each of these phases fall into different MITRE ATT&CK Tactics (Initial Access, Execution, Command And Control), by looking into 2 or more phases showing up in detections triggerd is how this correlation search finds exploitation. If we get a notable from this correlation search the best way to triage it is by investigating the affected systems against Log4Shell exploitation using Splunk SOAR playbooks. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} action.escu.data_models = ["Risk"] action.escu.eli5 = This correlation find exploitation of Log4Shell CVE-2021-44228 against systems using detections from Splunk Security Content Analytic Story. It does this by calculating the distinct count of MITRE ATT&CK tactics from Log4Shell detections fired. If the count is larger than 2 or more distinct MITRE ATT&CK tactics we assume high problability of exploitation. The Analytic story breaks down into 3 major phases of a Log4Shell exploitation, specifically> Initial Payload delivery eg. `${jndi:ldap://PAYLOAD_INJECTED}` Call back to malicious LDAP server eg. Exploit.class Post Exploitation Activity/Lateral Movement using Powershell or similar T1562.001 Each of these phases fall into different MITRE ATT&CK Tactics (Initial Access, Execution, Command And Control), by looking into 2 or more phases showing up in detections triggerd is how this correlation search finds exploitation. If we get a notable from this correlation search the best way to triage it is by investigating the affected systems against Log4Shell exploitation using Splunk SOAR playbooks. action.escu.how_to_implement = To implement this correlation search a user needs to enable all detections in the Log4Shell Analytic Story and confirm it is generation risk events. A simple search `index=risk analyticstories="Log4Shell CVE-2021-44228"` should contain events. @@ -32179,7 +32834,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RIR - Log4Shell CVE-2021-44228 Exploitation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228", "CISA AA22-320A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228", "CISA AA22-320A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Command and Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -32202,7 +32857,7 @@ search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_ action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious modification of registry entry to persist and gain privilege escalation upon booting up of compromised host. This technique was seen in several APT and malware where it modify UserInitMprLogonScript registry entry to its malicious payload to be executed upon boot up of the machine. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1037", "T1037.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1037", "T1037.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious modification of registry entry to persist and gain privilege escalation upon booting up of compromised host. This technique was seen in several APT and malware where it modify UserInitMprLogonScript registry entry to its malicious payload to be executed upon boot up of the machine. action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. @@ -32225,7 +32880,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Logon Script Event Trigger Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Windows Privilege Escalation", "Hermetic Wiper", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1037", "T1037.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Windows Privilege Escalation", "Hermetic Wiper", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1037", "T1037.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -32248,7 +32903,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTim action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies LOLBAS with network traffic. When adversaries abuse LOLBAS they are often used to download malicious code or executables. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like downloading malicious code. Looking for these process can help defenders identify lateral movement, command-and-control, or exfiltration activies. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1105", "T1567", "T1218"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command and Control", "Actions on Objectives", "Exploitation"], "mitre_attack": ["T1105", "T1567", "T1218"], "nist": ["DE.CM"]} action.escu.data_models = ["Network_Traffic"] action.escu.eli5 = The following analytic identifies LOLBAS with network traffic. When adversaries abuse LOLBAS they are often used to download malicious code or executables. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like downloading malicious code. Looking for these process can help defenders identify lateral movement, command-and-control, or exfiltration activies. action.escu.how_to_implement = To successfully implement this detection you must ingest events into the Network traffic data model that contain the source, destination, and communicating process in the app feild. Relevant processes must also be ingested in the Endpoint data model with matching process_id feild. Sysmon EID1 and EID3 are good examples of this type this data type. @@ -32263,7 +32918,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Living Off The Land"] action.risk = 1 action.risk.param._risk_message = The LOLBAS $process_name$ on device $src$ was seen communicating with $dest$. -action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] +action.risk.param._risk = [{"risk_object_field": "src", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "other", "risk_score": 25}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -32271,7 +32926,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - LOLBAS With Network Traffic - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "mitre_attack": ["T1105", "T1567", "T1218"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control", "Actions on Objectives", "Exploitation"], "mitre_attack": ["T1105", "T1567", "T1218"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -32340,7 +32995,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = Detect multiple executions of Living off the Land (LOLbin) binaries in a short period of time. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.004", "T1059"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004", "T1059"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = Detect multiple executions of Living off the Land (LOLbin) binaries in a short period of time. action.escu.how_to_implement = This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery. @@ -32363,7 +33018,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - MacOS LOLbin - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1059.004", "T1059"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004", "T1059"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -32386,7 +33041,7 @@ search = `osquery` name=es_process_events columns.cmdline IN ("find*", "crontab* action.escu = 0 action.escu.enabled = 1 description = Detect usage of plutil to modify plist files. Adversaries can modiy plist files to executed binaries or add command line arguments. Plist files in auto-run locations are executed upon user logon or system startup. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1647"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1647"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = Detect usage of plutil to modify plist files. Adversaries can modiy plist files to executed binaries or add command line arguments. Plist files in auto-run locations are executed upon user logon or system startup. action.escu.how_to_implement = This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery. @@ -32409,7 +33064,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - MacOS plutil - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1647"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1647"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -32432,7 +33087,7 @@ search = `osquery` name=es_process_events columns.path=/usr/bin/plutil | rename action.escu = 0 action.escu.enabled = 1 description = This search is to detect known mailsniper.ps1 functions executed in a machine. This technique was seen in some attacker to harvest some sensitive e-mail in a compromised exchange server. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1114", "T1114.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect known mailsniper.ps1 functions executed in a machine. This technique was seen in some attacker to harvest some sensitive e-mail in a compromised exchange server. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. @@ -32455,7 +33110,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Mailsniper Invoke functions - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "mitre_attack": ["T1114", "T1114.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Data Exfiltration"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1114", "T1114.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -32478,7 +33133,7 @@ search = `powershell` EventCode=4104 ScriptBlockText IN ("*Invoke-GlobalO365Mail action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a process modifying the registry with a known malicious CLSID under InProcServer32. Most COM classes are registered with the operating system and are identified by a GUID that represents the Class Identifier (CLSID) within the registry (usually under HKLM\\Software\\Classes\\CLSID or HKCU\\Software\\Classes\\CLSID). Behind the implementation of a COM class is the server (some binary) that is referenced within registry keys under the CLSID. The LocalServer32 key represents a path to an executable (exe) implementation, and the InprocServer32 key represents a path to a dynamic link library (DLL) implementation (Bohops). During triage, review parallel processes for suspicious activity. Pivot on the process GUID to see the full timeline of events. Analyze the value and look for file modifications. Being this is looking for inprocserver32, a DLL found in the value will most likely be loaded by a parallel process. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.010", "T1112"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.010", "T1112"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a process modifying the registry with a known malicious CLSID under InProcServer32. Most COM classes are registered with the operating system and are identified by a GUID that represents the Class Identifier (CLSID) within the registry (usually under HKLM\\Software\\Classes\\CLSID or HKCU\\Software\\Classes\\CLSID). Behind the implementation of a COM class is the server (some binary) that is referenced within registry keys under the CLSID. The LocalServer32 key represents a path to an executable (exe) implementation, and the InprocServer32 key represents a path to a dynamic link library (DLL) implementation (Bohops). During triage, review parallel processes for suspicious activity. Pivot on the process GUID to see the full timeline of events. Analyze the value and look for file modifications. Being this is looking for inprocserver32, a DLL found in the value will most likely be loaded by a parallel process. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -32501,7 +33156,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Malicious InProcServer32 Modification - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvr32 Activity", "Remcos"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1218.010", "T1112"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvr32 Activity", "Remcos"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.010", "T1112"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -32524,7 +33179,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This detection is to identify the abuse the Windows SC.exe to execute malicious commands or payloads via PowerShell. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This detection is to identify the abuse the Windows SC.exe to execute malicious commands or payloads via PowerShell. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows System logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. @@ -32547,7 +33202,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Malicious Powershell Executed As A Service - Rule -action.correlationsearch.annotations = {"analytic_story": ["Malicious Powershell", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Malicious Powershell", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1569", "T1569.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -32573,7 +33228,7 @@ description = The following analytic identifies the use of the EncodedCommand Po The analytic identifies all variations of EncodedCommand, as PowerShell allows the ability to shorten the parameter. For example enc, enco, encod and so forth. In addition, through our research it was identified that PowerShell will interpret different command switch types beyond the hyphen. We have added endash, emdash, horizontal bar, and forward slash. \ During triage, review parallel events to determine legitimacy. Tune as needed based on admin scripts in use. \ Alternatively, may use regex per matching here https://regexr.com/662ov. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1027"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of the EncodedCommand PowerShell parameter. This is typically used by Administrators to run complex scripts, but commonly used by adversaries to hide their code. \ The analytic identifies all variations of EncodedCommand, as PowerShell allows the ability to shorten the parameter. For example enc, enco, encod and so forth. In addition, through our research it was identified that PowerShell will interpret different command switch types beyond the hyphen. We have added endash, emdash, horizontal bar, and forward slash. \ @@ -32594,7 +33249,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Malicious PowerShell Process - Encoded Command - Rule -action.correlationsearch.annotations = {"analytic_story": ["Hermetic Wiper", "Malicious PowerShell", "NOBELIUM Group", "WhisperGate", "DarkCrystal RAT", "Qakbot", "CISA AA22-320A", "Sandworm Tools", "Data Destruction", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "mitre_attack": ["T1027"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Hermetic Wiper", "Malicious PowerShell", "NOBELIUM Group", "WhisperGate", "DarkCrystal RAT", "Qakbot", "CISA AA22-320A", "Sandworm Tools", "Data Destruction", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -32611,7 +33266,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search looks for PowerShell processes started with parameters used to bypass the local execution policy for scripts. These parameters are often observed in attacks leveraging PowerShell scripts as they override the default PowerShell execution policy. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for PowerShell processes started with parameters used to bypass the local execution policy for scripts. These parameters are often observed in attacks leveraging PowerShell scripts as they override the default PowerShell execution policy. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -32634,7 +33289,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A", "HAFNIUM Group", "DarkCrystal RAT", "AsyncRAT", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A", "HAFNIUM Group", "DarkCrystal RAT", "AsyncRAT", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -32657,7 +33312,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process_id) action.escu = 0 action.escu.enabled = 1 description = This search looks for PowerShell processes launched with arguments that have characters indicative of obfuscation on the command-line. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for PowerShell processes launched with arguments that have characters indicative of obfuscation on the command-line. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -32680,7 +33335,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule -action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -32703,7 +33358,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = The following analytic looks for the use of Mimikatz command line parameters leveraged to execute pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Mimikatz and modify the command line parameters. This would effectively bypass this analytic. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1550", "T1550.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic looks for the use of Mimikatz command line parameters leveraged to execute pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Mimikatz and modify the command line parameters. This would effectively bypass this analytic. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -32726,7 +33381,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sandworm Tools", "CISA AA23-347A", "CISA AA22-320A", "Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1550", "T1550.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Sandworm Tools", "CISA AA23-347A", "CISA AA22-320A", "Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -32749,7 +33404,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies `mmc.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the DCOM protocol and the MMC20 COM object, the executed command is spawned as a child processs of `mmc.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of mmc.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.003", "T1218.014"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003", "T1218.014"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies `mmc.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the DCOM protocol and the MMC20 COM object, the executed command is spawned as a child processs of `mmc.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of mmc.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -32772,7 +33427,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Mmc LOLBAS Execution Process Spawn - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "mitre_attack": ["T1021", "T1021.003", "T1218.014"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003", "T1218.014"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -32795,7 +33450,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic identifies suspicious modification of registry to deface or change the wallpaper of a compromised machines as part of its payload. This technique was commonly seen in ransomware like REVIL where it create a bitmap file contain a note that the machine was compromised and make it as a wallpaper. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1491"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1491"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies suspicious modification of registry to deface or change the wallpaper of a compromised machines as part of its payload. This technique was commonly seen in ransomware like REVIL where it create a bitmap file contain a note that the machine was compromised and make it as a wallpaper. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the Image, TargetObject registry key, registry Details from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -32818,7 +33473,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Modification Of Wallpaper - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware", "BlackMatter Ransomware", "Windows Registry Abuse", "Brute Ratel C4", "LockBit Ransomware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "mitre_attack": ["T1491"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware", "BlackMatter Ransomware", "Windows Registry Abuse", "Brute Ratel C4", "LockBit Ransomware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1491"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -32841,7 +33496,7 @@ search = `sysmon` EventCode =13 (TargetObject IN ("*\\Control Panel\\Desktop\\W action.escu = 0 action.escu.enabled = 1 description = This analytic identifies suspicious modification of ACL permission to a files or folder to make it available to everyone. This technique may be used by the adversary to evade ACLs or protected files access. This changes is commonly configured by the file or directory owner with appropriate permission. This behavior is a good indicator if this command seen on a machine utilized by an account with no permission to do so. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1222"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies suspicious modification of ACL permission to a files or folder to make it available to everyone. This technique may be used by the adversary to evade ACLs or protected files access. This changes is commonly configured by the file or directory owner with appropriate permission. This behavior is a good indicator if this command seen on a machine utilized by an account with no permission to do so. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -32864,7 +33519,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Modify ACL permission To Files Or Folder - Rule -action.correlationsearch.annotations = {"analytic_story": ["XMRig"], "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "mitre_attack": ["T1222"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["XMRig"], "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -32881,7 +33536,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as action.escu = 0 action.escu.enabled = 1 description = This search looks for registry activity associated with modifications to the registry key `HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors`. In this scenario, an attacker can load an arbitrary .dll into the print-monitor registry by giving the full path name to the after.dll. The system will execute the .dll with elevated (SYSTEM) permissions and will persist after reboot. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.010", "T1547"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.010", "T1547"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for registry activity associated with modifications to the registry key `HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors`. In this scenario, an attacker can load an arbitrary .dll into the print-monitor registry by giving the full path name to the after.dll. The system will execute the .dll with elevated (SYSTEM) permissions and will persist after reboot. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -32904,7 +33559,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Monitor Registry Keys for Print Monitors - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1547.010", "T1547"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.010", "T1547"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -32927,7 +33582,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. The analytic is limited to process name MSExchangeMailboxReplication.exe, which typically does not write .aspx files to disk. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. The analytic is limited to process name MSExchangeMailboxReplication.exe, which typically does not write .aspx files to disk. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. @@ -32950,7 +33605,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - MS Exchange Mailbox Replication service writing Active Server Pages - Rule -action.correlationsearch.annotations = {"analytic_story": ["ProxyShell", "Ransomware", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["ProxyShell", "Ransomware", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -32973,7 +33628,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading ldap module to process ldap query. This behavior was seen in FIN7 implant where it uses javascript to execute ldap query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious ldap query or ldap related events to the host that may give you good information regarding ldap or AD information processing or might be a attacker. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading ldap module to process ldap query. This behavior was seen in FIN7 implant where it uses javascript to execute ldap query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious ldap query or ldap related events to the host that may give you good information regarding ldap or AD information processing or might be a attacker. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. @@ -32996,7 +33651,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - MS Scripting Process Loading Ldap Module - Rule -action.correlationsearch.annotations = {"analytic_story": ["FIN7"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["FIN7"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -33013,7 +33668,7 @@ search = `sysmon` EventCode =7 Image IN ("*\\wscript.exe", "*\\cscript.exe") Ima action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading wmi module to process wmi query. This behavior was seen in FIN7 implant where it uses javascript to execute wmi query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious wmi query or wmi related events to the host that may give you good information regarding process that are commonly using wmi query or modules or might be an attacker using this technique. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading wmi module to process wmi query. This behavior was seen in FIN7 implant where it uses javascript to execute wmi query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious wmi query or wmi related events to the host that may give you good information regarding process that are commonly using wmi query or modules or might be an attacker using this technique. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. @@ -33036,7 +33691,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - MS Scripting Process Loading WMI Module - Rule -action.correlationsearch.annotations = {"analytic_story": ["FIN7"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["FIN7"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.007"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -33053,7 +33708,7 @@ search = `sysmon` EventCode =7 Image IN ("*\\wscript.exe", "*\\cscript.exe") Ima action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious child process of MSBuild spawned by Windows Script Host - cscript or wscript. This behavior or event are commonly seen and used by malware or adversaries to execute malicious msbuild process using malicious script in the compromised host. During triage, review parallel processes and identify any file modifications. MSBuild may load a script from the same path without having command-line arguments. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1127.001", "T1127"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127.001", "T1127"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious child process of MSBuild spawned by Windows Script Host - cscript or wscript. This behavior or event are commonly seen and used by malware or adversaries to execute malicious msbuild process using malicious script in the compromised host. During triage, review parallel processes and identify any file modifications. MSBuild may load a script from the same path without having command-line arguments. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -33076,7 +33731,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - MSBuild Suspicious Spawned By Script Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1127.001", "T1127"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127.001", "T1127"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -33099,7 +33754,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious mshta.exe process that spawn rundll32 or regsvr32 child process. This technique was seen in several malware nowadays like trickbot to load its initial .dll stage loader to execute and download the the actual trickbot payload. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious mshta.exe process that spawn rundll32 or regsvr32 child process. This technique was seen in several malware nowadays like trickbot to load its initial .dll stage loader to execute and download the the actual trickbot payload. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -33122,7 +33777,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trickbot", "IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Trickbot", "IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -33145,7 +33800,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following detection identifies the module load of mshtml.dll into an Office product. This behavior has been related to CVE-2021-40444, whereas the malicious document will load ActiveX, which activates the MSHTML component. The vulnerability resides in the MSHTML component. During triage, identify parallel processes and capture any file modifications for analysis. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following detection identifies the module load of mshtml.dll into an Office product. This behavior has been related to CVE-2021-40444, whereas the malicious document will load ActiveX, which activates the MSHTML component. The vulnerability resides in the MSHTML component. During triage, identify parallel processes and capture any file modifications for analysis. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process names and image loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -33168,7 +33823,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - MSHTML Module Load in Office Product - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-40444"], "impact": 80, "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-40444"], "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -33196,7 +33851,7 @@ description = The following hunting analytic identifies `msi.dll` being loaded b 1. Inducing an error state. \ 1. Racing to introduce a junction and a symlink to trick msiexec.exe to modify the attacker specified file. \ In addition, `msi.dll` has been abused in DLL side-loading attacks by being loaded by non-system binaries. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following hunting analytic identifies `msi.dll` being loaded by a binary not located in `system32`, `syswow64`, `winsxs` or `windows` paths. This behavior is most recently related to InstallerFileTakeOver, or CVE-2021-41379, and DLL side-loading. CVE-2021-41379 requires a binary to be dropped and `msi.dll` to be loaded by it. To Successful exploitation of this issue happens in four parts \ 1. Generation of an MSI that will trigger bad behavior. \ @@ -33219,7 +33874,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - MSI Module Loaded by Non-System Binary - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-41379"], "impact": 80, "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-41379"], "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -33236,7 +33891,7 @@ search = `sysmon` EventCode=7 ImageLoaded="*\\msi.dll" NOT (Image IN ("*\\System action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious creation of msmpeng.exe or mpsvc.dll in non default windows defender folder. This technique was seen with revil ransomware in Kaseya Supply chain. The approach is to drop an old version of msmpeng.exe to load the actual payload name as mspvc.dll which will load the revil ransomware to the compromise machine -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious creation of msmpeng.exe or mpsvc.dll in non default windows defender folder. This technique was seen with revil ransomware in Kaseya Supply chain. The approach is to drop an old version of msmpeng.exe to load the actual payload name as mspvc.dll which will load the revil ransomware to the compromise machine action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. @@ -33259,7 +33914,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Msmpeng Application DLL Side Loading - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.002", "T1574"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -33282,7 +33937,7 @@ search = |tstats `security_content_summariesonly` values(Filesystem.file_path) a action.escu = 0 action.escu.enabled = 1 description = The following hunting analytic will identify the use of localgroup discovery using `net localgroup`. During triage, review parallel processes and identify any further suspicious behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following hunting analytic will identify the use of localgroup discovery using `net localgroup`. During triage, review parallel processes and identify any further suspicious behavior. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -33300,7 +33955,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Net Localgroup Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "IcedID", "Windows Discovery Techniques", "Windows Post-Exploitation", "Azorult", "Active Directory Discovery", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "IcedID", "Windows Discovery Techniques", "Windows Post-Exploitation", "Azorult", "Active Directory Discovery", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -33317,7 +33972,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search is to detect modification of registry to bypass UAC windows feature. This technique is to add a payload dll path on .NET COR file path that will be loaded by mmc.exe as soon it was executed. This detection rely on monitoring the registry key and values in the detection area. It may happened that windows update some dll related to mmc.exe and add dll path in this registry. In this case filtering is needed. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect modification of registry to bypass UAC windows feature. This technique is to add a payload dll path on .NET COR file path that will be loaded by mmc.exe as soon it was executed. This detection rely on monitoring the registry key and values in the detection area. It may happened that windows update some dll related to mmc.exe and add dll path in this registry. In this case filtering is needed. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. @@ -33340,7 +33995,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - NET Profiler UAC bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -33363,7 +34018,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `arp.exe` utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use arp.exe for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `arp.exe` utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use arp.exe for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -33381,7 +34036,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Network Connection Discovery With Arp - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Qakbot", "Windows Post-Exploitation", "Prestige Ransomware", "Volt Typhoon", "IcedID"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1049"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Qakbot", "Windows Post-Exploitation", "Prestige Ransomware", "Volt Typhoon", "IcedID"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -33398,7 +34053,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `net.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use net.exe for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `net.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use net.exe for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -33416,7 +34071,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Network Connection Discovery With Net - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Azorult", "Windows Post-Exploitation", "Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1049"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Azorult", "Windows Post-Exploitation", "Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -33433,7 +34088,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `netstat.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use netstat.exe for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `netstat.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use netstat.exe for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -33451,7 +34106,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Network Connection Discovery With Netstat - Rule -action.correlationsearch.annotations = {"analytic_story": ["Volt Typhoon", "Active Directory Discovery", "Prestige Ransomware", "Windows Post-Exploitation", "Qakbot", "CISA AA22-277A", "CISA AA23-347A", "PlugX"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1049"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Volt Typhoon", "Active Directory Discovery", "Prestige Ransomware", "Windows Post-Exploitation", "Qakbot", "CISA AA22-277A", "CISA AA23-347A", "PlugX"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1049"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -33468,13 +34123,13 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic look for a spawned process of route.exe windows application. Adversaries and red teams alike abuse this application the recon or do a network discovery on a target host. but one possible false positive might be an automated tool used by a system administator or a powershell script in amazon ec2 config services. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1016", "T1016.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016", "T1016.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic look for a spawned process of route.exe windows application. Adversaries and red teams alike abuse this application the recon or do a network discovery on a target host. but one possible false positive might be an automated tool used by a system administator or a powershell script in amazon ec2 config services. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. action.escu.known_false_positives = A network operator or systems administrator may utilize an automated host discovery application that may generate false positives or an amazon ec2 script that uses this application. Filter as needed. -action.escu.creation_date = 2021-11-12 -action.escu.modification_date = 2021-11-12 +action.escu.creation_date = 2024-02-14 +action.escu.modification_date = 2024-02-14 action.escu.confidence = high action.escu.full_search_name = ESCU - Network Discovery Using Route Windows App - Rule action.escu.search_type = detection @@ -33486,7 +34141,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Network Discovery Using Route Windows App - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Qakbot", "CISA AA22-277A", "Windows Post-Exploitation", "Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1016", "T1016.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Qakbot", "CISA AA22-277A", "Windows Post-Exploitation", "Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1016", "T1016.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -33503,7 +34158,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies object access on Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The IcedID malware family also implements this behavior to try to infect other machines in the infected network. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1135"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1135"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies object access on Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The IcedID malware family also implements this behavior to try to infect other machines in the infected network. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5140 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy. @@ -33521,7 +34176,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Network Share Discovery Via Dir Command - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1135"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["IcedID"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1135"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -33534,11 +34189,46 @@ realtime_schedule = 0 is_visible = false search = `wineventlog_security` EventCode=5140 ShareName IN("\\\\*\\ADMIN$","\\\\*\\C$","*\\\\*\\IPC$") AccessMask= 0x1 | stats min(_time) as firstTime max(_time) as lastTime count by ShareName IpAddress ObjectType SubjectUserName SubjectDomainName IpPort AccessMask Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_share_discovery_via_dir_command_filter` +[ESCU - Network Traffic to Active Directory Web Services Protocol - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = The following analytic identifies network traffic to Active Directory Web Services Protocol. This protocol is used to manage Active Directory. The analytic is meant to be tuned and filtered to the specific environment. It will assist defenders in identifying suspicious processes accessing port 9389. +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.AE"]} +action.escu.data_models = ["Network_Traffic"] +action.escu.eli5 = The following analytic identifies network traffic to Active Directory Web Services Protocol. This protocol is used to manage Active Directory. The analytic is meant to be tuned and filtered to the specific environment. It will assist defenders in identifying suspicious processes accessing port 9389. +action.escu.how_to_implement = The detection is based on data that originates from network traffic logs. The logs must contain the source and destination IP addresses, the application name, and the destination port. The logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network traffic data source. The logs must also be mapped to the `Network_Traffic` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +action.escu.known_false_positives = False positives should be limited as the destination port is specific to Active Directory Web Services Protocol, however we recommend utilizing this analytic to hunt for non-standard processes querying the ADWS port. Filter by App or dest_ip to AD servers and remove known proceses querying ADWS. +action.escu.creation_date = 2024-02-12 +action.escu.modification_date = 2024-02-12 +action.escu.confidence = high +action.escu.full_search_name = ESCU - Network Traffic to Active Directory Web Services Protocol - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = null +action.escu.analytic_story = ["Discovery Techniques"] +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - Network Traffic to Active Directory Web Services Protocol - Rule +action.correlationsearch.annotations = {"analytic_story": ["Discovery Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.AE"]} +schedule_window = auto +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = | tstats count from datamodel=Network_Traffic where All_Traffic.dest_port=9389 by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.user, All_Traffic.dest_port | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `network_traffic_to_active_directory_web_services_protocol_filter` + [ESCU - Nishang PowershellTCPOneLine - Rule] action.escu = 0 action.escu.enabled = 1 description = This query detects the Nishang Invoke-PowerShellTCPOneLine utility that spawns a call back to a remote Command And Control server. This is a powershell oneliner. In addition, this will capture on the command-line additional utilities used by Nishang. Triage the endpoint and identify any parallel processes that look suspicious. Review the reputation of the remote IP or domain contacted by the powershell process. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This query detects the Nishang Invoke-PowerShellTCPOneLine utility that spawns a call back to a remote Command And Control server. This is a powershell oneliner. In addition, this will capture on the command-line additional utilities used by Nishang. Triage the endpoint and identify any parallel processes that look suspicious. Review the reputation of the remote IP or domain contacted by the powershell process. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -33561,7 +34251,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Nishang PowershellTCPOneLine - Rule -action.correlationsearch.annotations = {"analytic_story": ["HAFNIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["HAFNIUM Group"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -33584,7 +34274,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search looks for the execution of `nltest.exe` with command-line arguments utilized to query for Domain Trust information. Two arguments `/domain trusts`, returns a list of trusted domains, and `/all_trusts`, returns all trusted domains. Red Teams and adversaries alike use NLTest.exe to enumerate the current domain to assist with further understanding where to pivot next. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for the execution of `nltest.exe` with command-line arguments utilized to query for Domain Trust information. Two arguments `/domain trusts`, returns a list of trusted domains, and `/all_trusts`, returns all trusted domains. Red Teams and adversaries alike use NLTest.exe to enumerate the current domain to assist with further understanding where to pivot next. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -33607,7 +34297,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - NLTest Domain Trust Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ryuk Ransomware", "Domain Trust Discovery", "IcedID", "Active Directory Discovery", "Qakbot", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1482"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ryuk Ransomware", "Domain Trust Discovery", "IcedID", "Active Directory Discovery", "Qakbot", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1482"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -33630,7 +34320,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search is to detect an anomaly event of a non-chrome process accessing the files in chrome user default folder. This folder contains all the sqlite database of the chrome browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) need to be enabled to tthe firefox profile directory to be eable to use this. Since you monitoring this access to the folder, we observed noise that needs to be filter out and hence added sqlite db browser and explorer .exe to make this detection more stable. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1555", "T1555.003"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555", "T1555.003"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect an anomaly event of a non-chrome process accessing the files in chrome user default folder. This folder contains all the sqlite database of the chrome browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) need to be enabled to tthe firefox profile directory to be eable to use this. Since you monitoring this access to the folder, we observed noise that needs to be filter out and hence added sqlite db browser and explorer .exe to make this detection more stable. action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." @@ -33642,7 +34332,7 @@ action.escu.full_search_name = ESCU - Non Chrome Process Accessing Chrome Defaul action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Remcos", "NjRAT", "Warzone RAT", "3CX Supply Chain Attack", "RedLine Stealer", "FIN7", "DarkGate Malware", "AgentTesla", "CISA AA23-347A"] +action.escu.analytic_story = ["Remcos", "NjRAT", "Warzone RAT", "3CX Supply Chain Attack", "RedLine Stealer", "FIN7", "DarkGate Malware", "AgentTesla", "CISA AA23-347A", "Phemedrone Stealer"] action.risk = 1 action.risk.param._risk_message = a non firefox browser process $process_name$ accessing $Object_Name$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] @@ -33653,7 +34343,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule -action.correlationsearch.annotations = {"analytic_story": ["Remcos", "NjRAT", "Warzone RAT", "3CX Supply Chain Attack", "RedLine Stealer", "FIN7", "DarkGate Malware", "AgentTesla", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "mitre_attack": ["T1555", "T1555.003"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Remcos", "NjRAT", "Warzone RAT", "3CX Supply Chain Attack", "RedLine Stealer", "FIN7", "DarkGate Malware", "AgentTesla", "CISA AA23-347A", "Phemedrone Stealer"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555", "T1555.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -33670,7 +34360,7 @@ search = `wineventlog_security` EventCode=4663 NOT (process_name IN ("*\\chrome. action.escu = 0 action.escu.enabled = 1 description = This search is to detect an anomaly event of a non-firefox process accessing the files in the profile folder. This folder contains all the sqlite database of the firefox browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) needs to be enabled to the firefox profile directory to use this. Since this is monitoring the access to the folder, we have obsevered noise and hence added `sqlite db browser` and `explorer.exe` to make this detection more stable. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1555", "T1555.003"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555", "T1555.003"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect an anomaly event of a non-firefox process accessing the files in the profile folder. This folder contains all the sqlite database of the firefox browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) needs to be enabled to the firefox profile directory to use this. Since this is monitoring the access to the folder, we have obsevered noise and hence added `sqlite db browser` and `explorer.exe` to make this detection more stable. action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." @@ -33682,7 +34372,7 @@ action.escu.full_search_name = ESCU - Non Firefox Process Access Firefox Profile action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Azorult", "Remcos", "NjRAT", "Warzone RAT", "3CX Supply Chain Attack", "RedLine Stealer", "FIN7", "DarkGate Malware", "AgentTesla", "CISA AA23-347A"] +action.escu.analytic_story = ["Azorult", "Remcos", "NjRAT", "Warzone RAT", "3CX Supply Chain Attack", "RedLine Stealer", "FIN7", "DarkGate Malware", "AgentTesla", "CISA AA23-347A", "Phemedrone Stealer"] action.risk = 1 action.risk.param._risk_message = a non firefox browser process $process_name$ accessing $Object_Name$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 35}] @@ -33693,7 +34383,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Non Firefox Process Access Firefox Profile Dir - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Remcos", "NjRAT", "Warzone RAT", "3CX Supply Chain Attack", "RedLine Stealer", "FIN7", "DarkGate Malware", "AgentTesla", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "mitre_attack": ["T1555", "T1555.003"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Remcos", "NjRAT", "Warzone RAT", "3CX Supply Chain Attack", "RedLine Stealer", "FIN7", "DarkGate Malware", "AgentTesla", "CISA AA23-347A", "Phemedrone Stealer"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555", "T1555.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -33710,7 +34400,7 @@ search = `wineventlog_security` EventCode=4663 NOT (process_name IN ("*\\firefox action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies behavior related to default SliverC2 framework where it will inject into Notepad.exe and spawn Notepad.exe with no command line arguments. In testing, this is a common procedure for SliverC2 usage, however may be modified or changed. From Microsoft, "The Sideload, SpawnDll, and Execute-Assembly commands spawn and inject into notepad.exe by default. The following query finds process creation events where the same process creates and injects into notepad.exe within 10 seconds." -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies behavior related to default SliverC2 framework where it will inject into Notepad.exe and spawn Notepad.exe with no command line arguments. In testing, this is a common procedure for SliverC2 usage, however may be modified or changed. From Microsoft, "The Sideload, SpawnDll, and Execute-Assembly commands spawn and inject into notepad.exe by default. The following query finds process creation events where the same process creates and injects into notepad.exe within 10 seconds." action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -33733,7 +34423,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Notepad with no Command Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -33758,7 +34448,7 @@ action.escu.enabled = 1 description = Monitor for signs that Ntdsutil is being used to Extract Active Directory database - NTDS.dit, typically used for offline password cracking. It may be used in normal circumstances with no command line arguments or shorthand variations of more common arguments. Ntdsutil.exe is typically seen run on a Windows Server. Typical command used to dump ntds.dit \ ntdsutil "ac i ntds" "ifm" "create full C:\Temp" q q \ This technique uses "Install from Media" (IFM), which will extract a copy of the Active Directory database. A successful export of the Active Directory database will yield a file modification named ntds.dit to the destination. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Monitor for signs that Ntdsutil is being used to Extract Active Directory database - NTDS.dit, typically used for offline password cracking. It may be used in normal circumstances with no command line arguments or shorthand variations of more common arguments. Ntdsutil.exe is typically seen run on a Windows Server. Typical command used to dump ntds.dit \ ntdsutil "ac i ntds" "ifm" "create full C:\Temp" q q \ @@ -33783,7 +34473,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Ntdsutil Export NTDS - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "HAFNIUM Group", "Living Off The Land", "Prestige Ransomware", "Volt Typhoon", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "HAFNIUM Group", "Living Off The Land", "Prestige Ransomware", "Volt Typhoon", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -33808,7 +34498,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious MS office application that drops or creates executables or scripts in a Windows Operating System. This behavior is commonly seen in spear phishing office attachment where it drop malicious files or script to compromised the host. It might be some normal macro may drop script or tools as part of automation but still this behavior is reallly suspicious and not commonly seen in normal office application -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious MS office application that drops or creates executables or scripts in a Windows Operating System. This behavior is commonly seen in spear phishing office attachment where it drop malicious files or script to compromised the host. It might be some normal macro may drop script or tools as part of automation but still this behavior is reallly suspicious and not commonly seen in normal office application action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. @@ -33831,7 +34521,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Application Drop Executable - Rule -action.correlationsearch.annotations = {"analytic_story": ["FIN7", "AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", "Warzone RAT", "PlugX"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["FIN7", "AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", "Warzone RAT", "PlugX"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -33854,7 +34544,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = this detection was designed to identifies suspicious spawned process of known MS office application due to macro or malicious code. this technique can be seen in so many malware like IcedID that used MS office as its weapon or attack vector to initially infect the machines. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = this detection was designed to identifies suspicious spawned process of known MS office application due to macro or malicious code. this technique can be seen in so many malware like IcedID that used MS office as its weapon or attack vector to initially infect the machines. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -33877,7 +34567,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Application Spawn Regsvr32 process - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Qakbot"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Qakbot"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -33900,7 +34590,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This detection was designed to identify suspicious spawned processes of known MS office applications due to macro or malicious code. this technique can be seen in so many malware like trickbot that used MS office as its weapon or attack vector to initially infect the machines. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This detection was designed to identify suspicious spawned processes of known MS office applications due to macro or malicious code. this technique can be seen in so many malware like trickbot that used MS office as its weapon or attack vector to initially infect the machines. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -33923,7 +34613,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Application Spawn rundll32 process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Trickbot", "IcedID", "AgentTesla", "NjRAT"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Trickbot", "IcedID", "AgentTesla", "NjRAT"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -33946,7 +34636,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = this search detects a potential malicious office document that create schedule task entry through macro VBA api or through loading taskschd.dll. This technique was seen in so many malicious macro malware that create persistence , beaconing using task schedule malware entry The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not. schtasks.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64`. The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it's possible a scheduled task is being registered within that process context in memory. Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source.' -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = this search detects a potential malicious office document that create schedule task entry through macro VBA api or through loading taskschd.dll. This technique was seen in so many malicious macro malware that create persistence , beaconing using task schedule malware entry The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not. schtasks.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64`. The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it's possible a scheduled task is being registered within that process context in memory. Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source.' action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config. @@ -33969,7 +34659,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Document Creating Schedule Task - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -33992,7 +34682,7 @@ search = `sysmon` EventCode=7 parent_process_name IN ("WINWORD.EXE", "EXCEL.EXE" action.escu = 0 action.escu.enabled = 1 description = this detection was designed to identifies suspicious office documents that using macro code. Macro code is known to be one of the prevalent weaponization or attack vector of threat actor. This malicious macro code is embed to a office document as an attachment that may execute malicious payload, download malware payload or other malware component. It is really good practice to disable macro by default to avoid automatically execute macro code while opening or closing a office document files. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = this detection was designed to identifies suspicious office documents that using macro code. Macro code is known to be one of the prevalent weaponization or attack vector of threat actor. This malicious macro code is embed to a office document as an attachment that may execute malicious payload, download malware payload or other malware component. It is really good practice to disable macro by default to avoid automatically execute macro code while opening or closing a office document files. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config. @@ -34015,7 +34705,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Document Executing Macro Code - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Trickbot", "IcedID", "DarkCrystal RAT", "AgentTesla", "Qakbot", "Azorult", "Remcos", "PlugX", "NjRAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Trickbot", "IcedID", "DarkCrystal RAT", "AgentTesla", "Qakbot", "Azorult", "Remcos", "PlugX", "NjRAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -34038,7 +34728,7 @@ search = `sysmon` EventCode=7 parent_process_name IN ("WINWORD.EXE", "EXCEL.EXE" action.escu = 0 action.escu.enabled = 1 description = This search is to detect potential malicious office document executing lolbin child process to download payload or other malware. Since most of the attacker abused the capability of office document to execute living on land application to blend it to the normal noise in the infected machine to cover its track. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect potential malicious office document executing lolbin child process to download payload or other malware. Since most of the attacker abused the capability of office document to execute living on land application to blend it to the normal noise in the infected machine to cover its track. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -34061,7 +34751,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Document Spawned Child Process To Download - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "PlugX", "NjRAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "PlugX", "NjRAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -34084,7 +34774,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = this search is to detect a suspicious office product process that spawn cmd child process. This is commonly seen in a ms office product having macro to execute shell command to download or execute malicious lolbin relative to its malicious code. This is seen in trickbot spear phishing doc where it execute shell cmd to run mshta payload. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = this search is to detect a suspicious office product process that spawn cmd child process. This is commonly seen in a ms office product having macro to execute shell command to download or execute malicious lolbin relative to its malicious code. This is seen in trickbot spear phishing doc where it execute shell cmd to run mshta payload. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -34107,7 +34797,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Product Spawn CMD Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trickbot", "DarkCrystal RAT", "Azorult", "Remcos", "Qakbot", "AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Warzone RAT", "PlugX", "NjRAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Trickbot", "DarkCrystal RAT", "Azorult", "Remcos", "Qakbot", "AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "Warzone RAT", "PlugX", "NjRAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -34130,7 +34820,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `bitsadmin.exe`. In malicious instances, the command-line of `bitsadmin.exe` will contain a URL to a remote destination or similar command-line arguments as transfer, Download, priority, Foreground. In addition, Threat Research has released a detections identifying suspicious use of `bitsadmin.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `bitsadmin.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `bitsadmin.exe`. In malicious instances, the command-line of `bitsadmin.exe` will contain a URL to a remote destination or similar command-line arguments as transfer, Download, priority, Foreground. In addition, Threat Research has released a detections identifying suspicious use of `bitsadmin.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `bitsadmin.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -34153,7 +34843,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Product Spawning BITSAdmin - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -34176,7 +34866,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `certutil.exe`. In malicious instances, the command-line of `certutil.exe` will contain a URL to a remote destination. In addition, Threat Research has released a detections identifying suspicious use of `certutil.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `certutil.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `certutil.exe`. In malicious instances, the command-line of `certutil.exe` will contain a URL to a remote destination. In addition, Threat Research has released a detections identifying suspicious use of `certutil.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `certutil.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -34191,7 +34881,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["Spearphishing Attachments", "AgentTesla", "Trickbot", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"] action.risk = 1 action.risk.param._risk_message = office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"threat_object_field": "process_name", "threat_object_type": "process name"}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -34199,7 +34889,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Product Spawning CertUtil - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "AgentTesla", "Trickbot", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "AgentTesla", "Trickbot", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -34222,7 +34912,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `mshta.exe`. In malicious instances, the command-line of `mshta.exe` will contain the `hta` file locally, or a URL to the remote destination. In addition, Threat Research has released a detections identifying suspicious use of `mshta.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `mshta.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `mshta.exe`. In malicious instances, the command-line of `mshta.exe` will contain the `hta` file locally, or a URL to the remote destination. In addition, Threat Research has released a detections identifying suspicious use of `mshta.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `mshta.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -34245,7 +34935,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Product Spawning MSHTA - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "IcedID", "Azorult", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "NjRAT"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "IcedID", "Azorult", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "NjRAT"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -34268,7 +34958,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following detection identifies the latest behavior utilized by IcedID malware family. This detection identifies any Windows Office Product spawning `rundll32.exe` without a `.dll` file extension. In malicious instances, the command-line of `rundll32.exe` will look like `rundll32 ..\oepddl.igk2,DllRegisterServer`. In addition, Threat Research has released a detection identifying the use of `DllRegisterServer` on the command-line of `rundll32.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze the `DLL` that was dropped to disk. The Office Product will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following detection identifies the latest behavior utilized by IcedID malware family. This detection identifies any Windows Office Product spawning `rundll32.exe` without a `.dll` file extension. In malicious instances, the command-line of `rundll32.exe` will look like `rundll32 ..\oepddl.igk2,DllRegisterServer`. In addition, Threat Research has released a detection identifying the use of `DllRegisterServer` on the command-line of `rundll32.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze the `DLL` that was dropped to disk. The Office Product will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -34291,7 +34981,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Product Spawning Rundll32 with no DLL - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -34314,7 +35004,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic will identify a Windows Office Product spawning WScript.exe or CScript.exe. Tuning may be required based on legitimate application usage that may spawn scripts from an Office product. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic will identify a Windows Office Product spawning WScript.exe or CScript.exe. Tuning may be required based on legitimate application usage that may spawn scripts from an Office product. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -34337,7 +35027,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Product Spawning Windows Script Host - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Remcos", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Remcos", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -34360,7 +35050,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following detection identifies the latest behavior utilized by Ursnif malware family. This detection identifies any Windows Office Product spawning `wmic.exe`. In malicious instances, the command-line of `wmic.exe` will contain `wmic process call create`. In addition, Threat Research has released a detection identifying the use of `wmic process call create` on the command-line of `wmic.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `wmic.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following detection identifies the latest behavior utilized by Ursnif malware family. This detection identifies any Windows Office Product spawning `wmic.exe`. In malicious instances, the command-line of `wmic.exe` will contain `wmic process call create`. In addition, Threat Research has released a detection identifying the use of `wmic process call create` on the command-line of `wmic.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `wmic.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -34375,7 +35065,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["Spearphishing Attachments", "FIN7", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"] action.risk = 1 action.risk.param._risk_message = office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"threat_object_field": "process_name", "threat_object_type": "process name"}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -34383,7 +35073,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Product Spawning Wmic - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "FIN7", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "FIN7", "CVE-2023-36884 Office and Windows HTML RCE Vulnerability"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -34406,7 +35096,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies behavior related to CVE-2021-40444. Whereas the malicious document will load ActiveX and download the remote payload (.inf, .cab). During triage, review parallel processes and further activity on endpoint to identify additional patterns. Retrieve the file modifications and analyze further. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies behavior related to CVE-2021-40444. Whereas the malicious document will load ActiveX and download the remote payload (.inf, .cab). During triage, review parallel processes and further activity on endpoint to identify additional patterns. Retrieve the file modifications and analyze further. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. @@ -34429,7 +35119,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Product Writing cab or inf - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Microsoft MSHTML Remote Code Execution CVE-2021-40444"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-40444"], "impact": 80, "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Microsoft MSHTML Remote Code Execution CVE-2021-40444"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-40444"], "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -34452,7 +35142,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = The following detection identifies control.exe spawning from an office product. This detection identifies any Windows Office Product spawning `control.exe`. In malicious instances, the command-line of `control.exe` will contain a file path to a .cpl or .inf, related to CVE-2021-40444. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. review parallel and child processes to identify further suspicious behavior -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following detection identifies control.exe spawning from an office product. This detection identifies any Windows Office Product spawning `control.exe`. In malicious instances, the command-line of `control.exe` will contain a file path to a .cpl or .inf, related to CVE-2021-40444. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. review parallel and child processes to identify further suspicious behavior action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -34475,7 +35165,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Office Spawning Control - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Microsoft MSHTML Remote Code Execution CVE-2021-40444"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-40444"], "impact": 80, "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Microsoft MSHTML Remote Code Execution CVE-2021-40444"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-40444"], "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -34498,7 +35188,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = A required step while exploiting the CVE-2021-44228-Log4j vulnerability is that the victim server will perform outbound connections to attacker-controlled infrastructure. This is required as part of the JNDI lookup as well as for retrieving the second stage .class payload. The following analytic identifies the Java process reaching out to default ports used by the LDAP and RMI protocols. This behavior could represent successfull exploitation. Note that adversaries can easily decide to use arbitrary ports for these protocols and potentially bypass this detection. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint", "Network_Traffic"] action.escu.eli5 = A required step while exploiting the CVE-2021-44228-Log4j vulnerability is that the victim server will perform outbound connections to attacker-controlled infrastructure. This is required as part of the JNDI lookup as well as for retrieving the second stage .class payload. The following analytic identifies the Java process reaching out to default ports used by the LDAP and RMI protocols. This behavior could represent successfull exploitation. Note that adversaries can easily decide to use arbitrary ports for these protocols and potentially bypass this detection. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -34521,7 +35211,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Outbound Network Connection from Java Using Default Ports - Rule -action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 60, "cve": ["CVE-2021-44228"], "impact": 90, "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 60, "cve": ["CVE-2021-44228"], "impact": 90, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -34544,7 +35234,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = Microsoft Windows contains accessibility features that can be launched with a key combination before a user has logged in. An adversary can modify or replace these programs so they can get a command prompt or backdoor without logging in to the system. This search looks for modifications to these binaries. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1546", "T1546.008"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546", "T1546.008"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Microsoft Windows contains accessibility features that can be launched with a key combination before a user has logged in. An adversary can modify or replace these programs so they can get a command prompt or backdoor without logging in to the system. This search looks for modifications to these binaries. action.escu.how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. @@ -34559,7 +35249,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation", "Flax Typhoon"] action.risk = 1 action.risk.param._risk_message = A suspicious file modification or replace in $file_path$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"threat_object_field": "file_name", "threat_object_type": "file"}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -34567,7 +35257,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Overwriting Accessibility Binaries - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation", "Flax Typhoon"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "mitre_attack": ["T1546", "T1546.008"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation", "Flax Typhoon"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546", "T1546.008"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -34590,7 +35280,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following hunting analytic is designed to monitor and detect potential exploitation attempts targeting a PaperCut NG server by analyzing its debug log data. By focusing on public IP addresses accessing the PaperCut NG instance, this analytic aims to identify unauthorized or suspicious access attempts. Furthermore, it searches for specific URIs that have been discovered in the proof of concept code, which are associated with known exploits or vulnerabilities. The analytic is focused on the user admin. Regex is used mainly because the log is not parsed by Splunk and there is no TA for this debug log. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following hunting analytic is designed to monitor and detect potential exploitation attempts targeting a PaperCut NG server by analyzing its debug log data. By focusing on public IP addresses accessing the PaperCut NG instance, this analytic aims to identify unauthorized or suspicious access attempts. Furthermore, it searches for specific URIs that have been discovered in the proof of concept code, which are associated with known exploits or vulnerabilities. The analytic is focused on the user admin. Regex is used mainly because the log is not parsed by Splunk and there is no TA for this debug log. action.escu.how_to_implement = Debug logs must be enabled and shipped to Splunk in order to properly identify behavior with this analytic. @@ -34608,7 +35298,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - PaperCut NG Suspicious Behavior Debug Log - Rule -action.correlationsearch.annotations = {"analytic_story": ["PaperCut MF NG Vulnerability"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["PaperCut MF NG Vulnerability"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -34625,7 +35315,7 @@ search = `papercutng` (loginType=Admin OR userName=admin) | eval uri_match=if(ma action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `net.exe` or `net1.exe` with command line arguments used to obtain the domain password policy. Red Teams and adversaries may leverage `net.exe` for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `net.exe` or `net1.exe` with command line arguments used to obtain the domain password policy. Red Teams and adversaries may leverage `net.exe` for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -34643,7 +35333,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Password Policy Discovery with Net - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1201"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1201"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -34660,7 +35350,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search is to detect a modification of file or directory permission using takeown.exe windows app. This technique was seen in some ransomware that take the ownership of a folder or files to encrypt or delete it. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a modification of file or directory permission using takeown.exe windows app. This technique was seen in some ransomware that take the ownership of a folder or files to encrypt or delete it. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -34683,7 +35373,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Permission Modification using Takeown App - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Sandworm Tools"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1222"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Sandworm Tools"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -34709,7 +35399,7 @@ description = The following analytic utilizes Windows Event Code 5145, "A networ To enable 5145 events via Group Policy - Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration. Expand this node, go to Object Access (Audit Polices->Object Access), then select the Setting Audit Detailed File Share Audit \ It is possible this is not enabled by default and may need to be reviewed and enabled. \ During triage, review parallel security events to identify further suspicious activity. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1187"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1187"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes Windows Event Code 5145, "A network share object was checked to see whether client can be granted desired access". During our research into PetitPotam, CVE-2021-36942, we identified the ocurrence of this event on the target host with specific values. \ To enable 5145 events via Group Policy - Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration. Expand this node, go to Object Access (Audit Polices->Object Access), then select the Setting Audit Detailed File Share Audit \ @@ -34735,7 +35425,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PetitPotam Network Share Access Request - Rule -action.correlationsearch.annotations = {"analytic_story": ["PetitPotam NTLM Relay on Active Directory Certificate Services"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-36942"], "impact": 80, "mitre_attack": ["T1187"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["PetitPotam NTLM Relay on Active Directory Certificate Services"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-36942"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1187"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -34761,7 +35451,7 @@ search = `wineventlog_security` Account_Name="ANONYMOUS LOGON" EventCode=5145 Re action.escu = 0 action.escu.enabled = 1 description = The following analytic identifes Event Code 4768, A `Kerberos authentication ticket (TGT) was requested`, successfull occurs. This behavior has been identified to assist with detecting PetitPotam, CVE-2021-36942. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to Domain Controllers for your environment. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifes Event Code 4768, A `Kerberos authentication ticket (TGT) was requested`, successfull occurs. This behavior has been identified to assist with detecting PetitPotam, CVE-2021-36942. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to Domain Controllers for your environment. action.escu.how_to_implement = The following analytic requires Event Code 4768. Ensure that it is logging no Domain Controllers and appearing in Splunk. @@ -34784,7 +35474,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule -action.correlationsearch.annotations = {"analytic_story": ["PetitPotam NTLM Relay on Active Directory Certificate Services", "Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-36942"], "impact": 80, "mitre_attack": ["T1003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["PetitPotam NTLM Relay on Active Directory Certificate Services", "Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-36942"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -34807,7 +35497,7 @@ search = `wineventlog_security` EventCode=4768 Client_Address!="::1" Certificate action.escu = 0 action.escu.enabled = 1 description = This analytic will identify the possible execution of ping sleep batch commands. This technique was seen in several malware samples and is used to trigger sleep times without explicitly calling sleep functions or commandlets. The goal is to delay the execution of malicious code and bypass detection or sandbox analysis. This detection can be a good indicator of a process delaying its execution for malicious purposes. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1497", "T1497.003"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1497", "T1497.003"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic will identify the possible execution of ping sleep batch commands. This technique was seen in several malware samples and is used to trigger sleep times without explicitly calling sleep functions or commandlets. The goal is to delay the execution of malicious code and bypass detection or sandbox analysis. This detection can be a good indicator of a process delaying its execution for malicious purposes. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -34830,7 +35520,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Ping Sleep Batch Command - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "WhisperGate", "BlackByte Ransomware", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1497", "T1497.003"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "WhisperGate", "BlackByte Ransomware", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1497", "T1497.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -34847,7 +35537,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic will detect if a suspicious process contains a commandline parameter related to a web browser credential dumper. This technique is used by Remcos RAT malware which uses the Nirsoft webbrowserpassview.exe application to dump web browser credentials. Remcos uses the "/stext" command line to dump the credentials in text format. This Hunting query is a good indicator of hosts suffering from possible Remcos RAT infection. Since the hunting query is based on the parameter command and the possible path where it will save the text credential information, it may catch normal tools that are using the same command and behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1555.003", "T1555"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555.003", "T1555"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic will detect if a suspicious process contains a commandline parameter related to a web browser credential dumper. This technique is used by Remcos RAT malware which uses the Nirsoft webbrowserpassview.exe application to dump web browser credentials. Remcos uses the "/stext" command line to dump the credentials in text format. This Hunting query is a good indicator of hosts suffering from possible Remcos RAT infection. Since the hunting query is based on the parameter command and the possible path where it will save the text credential information, it may catch normal tools that are using the same command and behavior. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -34865,7 +35555,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Possible Browser Pass View Parameter - Rule -action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "mitre_attack": ["T1555.003", "T1555"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555.003", "T1555"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -34883,7 +35573,7 @@ action.escu = 0 action.escu.enabled = 1 description = The following analytic is designed to identify possible lateral movement attacks that involve the spawning of a PowerShell process as a child or grandchild process of commonly abused processes. These processes include services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe.\ Such behavior is indicative of legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management, and the DCOM protocol being abused to start a process on a remote endpoint. This behavior is often seen during lateral movement techniques where adversaries or red teams abuse these services for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.003", "T1021.006", "T1047", "T1053.005", "T1543.003", "T1059.001", "T1218.014"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.003", "T1021.006", "T1047", "T1053.005", "T1543.003", "T1059.001", "T1218.014"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is designed to identify possible lateral movement attacks that involve the spawning of a PowerShell process as a child or grandchild process of commonly abused processes. These processes include services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe.\ Such behavior is indicative of legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management, and the DCOM protocol being abused to start a process on a remote endpoint. This behavior is often seen during lateral movement techniques where adversaries or red teams abuse these services for lateral movement and remote code execution. @@ -34907,7 +35597,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Possible Lateral Movement PowerShell Spawn - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Malicious PowerShell", "Hermetic Wiper", "Data Destruction", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "mitre_attack": ["T1021", "T1021.003", "T1021.006", "T1047", "T1053.005", "T1543.003", "T1059.001", "T1218.014"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Malicious PowerShell", "Hermetic Wiper", "Data Destruction", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.003", "T1021.006", "T1047", "T1053.005", "T1543.003", "T1059.001", "T1218.014"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -34931,7 +35621,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search identifies users who have entered their passwords in username fields. This is done by looking for failed authentication attempts using usernames with a length longer than 7 characters and a high Shannon entropy, and looks for the next successful authentication attempt from the same source system to the same destination system as the failed attempt. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078.003", "T1552.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.003", "T1552.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Authentication"] action.escu.eli5 = This search identifies users who have entered their passwords in username fields. This is done by looking for failed authentication attempts using usernames with a length longer than 7 characters and a high Shannon entropy, and looks for the next successful authentication attempt from the same source system to the same destination system as the failed attempt. action.escu.how_to_implement = To successfully implement this search, you need to have relevant authentication logs mapped to the Authentication data model. You also need to have the Splunk TA URL Toolbox (https://splunkbase.splunk.com/app/2734/) installed. The detection must run with a time interval shorter than endtime+1000. @@ -34949,7 +35639,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Potential password in username - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Insider Threat"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "mitre_attack": ["T1078.003", "T1552.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Insider Threat"], "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078.003", "T1552.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -34966,7 +35656,7 @@ search = | tstats `security_content_summariesonly` earliest(_time) AS starttime action.escu = 0 action.escu.enabled = 1 description = The following analytic uses a pretrained machine learning text classifier to detect potentially malicious commandlines. The model identifies unusual combinations of keywords found in samples of commandlines where adversaries executed powershell code, primarily for C2 communication. For example, adversaries will leverage IO capabilities such as "streamreader" and "webclient", threading capabilties such as "mutex" locks, programmatic constructs like "function" and "catch", and cryptographic operations like "computehash". Although observing one of these keywords in a commandline script is possible, combinations of keywords observed in attack data are not typically found in normal usage of the commandline. The model will output a score where all values above zero are suspicious, anything greater than one particularly so. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.003"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic uses a pretrained machine learning text classifier to detect potentially malicious commandlines. The model identifies unusual combinations of keywords found in samples of commandlines where adversaries executed powershell code, primarily for C2 communication. For example, adversaries will leverage IO capabilities such as "streamreader" and "webclient", threading capabilties such as "mutex" locks, programmatic constructs like "function" and "catch", and cryptographic operations like "computehash". Although observing one of these keywords in a commandline script is possible, combinations of keywords observed in attack data are not typically found in normal usage of the commandline. The model will output a score where all values above zero are suspicious, anything greater than one particularly so. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -34989,7 +35679,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Potentially malicious code on commandline - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Command-Line Executions"], "cis20": ["CIS 10"], "confidence": 20, "impact": 60, "mitre_attack": ["T1059.003"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Command-Line Executions"], "cis20": ["CIS 10"], "confidence": 20, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -35006,7 +35696,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following Hunting analytic assists with identifying suspicious PowerShell execution using Script Block Logging, or EventCode 4104. This analytic is not meant to be ran hourly, but occasionally to identify malicious or suspicious PowerShell. This analytic is a combination of work completed by Alex Teixeira and Splunk Threat Research Team. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following Hunting analytic assists with identifying suspicious PowerShell execution using Script Block Logging, or EventCode 4104. This analytic is not meant to be ran hourly, but occasionally to identify malicious or suspicious PowerShell. This analytic is a combination of work completed by Alex Teixeira and Splunk Threat Research Team. action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. @@ -35024,7 +35714,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell 4104 Hunting - Rule -action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Rhysida Ransomware", "DarkGate Malware", "Flax Typhoon", "CISA AA23-347A", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Rhysida Ransomware", "DarkGate Malware", "Flax Typhoon", "CISA AA23-347A", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -35041,7 +35731,7 @@ search = `powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,"(?i action.escu = 0 action.escu.enabled = 1 description = The following hunting analytic identifies PowerShell commands utilizing the WindowStyle parameter to hide the window on the compromised endpoint. This combination of command-line options is suspicious because it is overriding the default PowerShell execution policy, attempts to hide its activity from the user, and connects to the Internet. Removed in this version of the query is New-Object. The analytic identifies all variations of WindowStyle, as PowerShell allows the ability to shorten the parameter. For example w, win, windowsty and so forth. In addition, through our research it was identified that PowerShell will interpret different command switch types beyond the hyphen. We have added endash, emdash, horizontal bar, and forward slash. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following hunting analytic identifies PowerShell commands utilizing the WindowStyle parameter to hide the window on the compromised endpoint. This combination of command-line options is suspicious because it is overriding the default PowerShell execution policy, attempts to hide its activity from the user, and connects to the Internet. Removed in this version of the query is New-Object. The analytic identifies all variations of WindowStyle, as PowerShell allows the ability to shorten the parameter. For example w, win, windowsty and so forth. In addition, through our research it was identified that PowerShell will interpret different command switch types beyond the hyphen. We have added endash, emdash, horizontal bar, and forward slash. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -35059,7 +35749,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell - Connect To Internet With Hidden Window - Rule -action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "HAFNIUM Group", "Hermetic Wiper", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Malicious PowerShell", "Data Destruction", "Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-44228"], "impact": 90, "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AgentTesla", "HAFNIUM Group", "Hermetic Wiper", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Malicious PowerShell", "Data Destruction", "Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-44228"], "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -35076,7 +35766,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell ScriptBlock Logging to identify a script that is attempting to modify or add a component object model to inprocserver32 path within the registry. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.015", "T1059", "T1059.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.015", "T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell ScriptBlock Logging to identify a script that is attempting to modify or add a component object model to inprocserver32 path within the registry. action.escu.how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the PowerShell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. @@ -35099,7 +35789,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell COM Hijacking InprocServer32 Modification - Rule -action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1546.015", "T1059", "T1059.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.015", "T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -35122,7 +35812,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = "*Software\\Classes\\CLSI action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using the `mutex` function. This function is commonly seen in some obfuscated PowerShell scripts to make sure that only one instance of there process is running on a compromise machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1027", "T1027.005", "T1059.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1027", "T1027.005", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using the `mutex` function. This function is commonly seen in some obfuscated PowerShell scripts to make sure that only one instance of there process is running on a compromise machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -35145,7 +35835,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Creating Thread Mutex - Rule -action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "mitre_attack": ["T1027", "T1027.005", "T1059.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1027", "T1027.005", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -35168,7 +35858,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = "*Threading.Mutex*" | sta action.escu = 0 action.escu.enabled = 1 description = This search identifies a modification in registry to disable the windows defender real time behavior monitoring. This event or technique is commonly seen in RATs, bots, or Trojans to disable AV to evade detections. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search identifies a modification in registry to disable the windows defender real time behavior monitoring. This event or technique is commonly seen in RATs, bots, or Trojans to disable AV to evade detections. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -35191,7 +35881,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Disable Security Monitoring - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -35216,7 +35906,7 @@ action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies specific PowerShell modules typically used to enumerate an organizations domain or users. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies specific PowerShell modules typically used to enumerate an organizations domain or users. \ @@ -35241,7 +35931,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell Domain Enumeration - Rule -action.correlationsearch.annotations = {"analytic_story": ["Hermetic Wiper", "Malicious PowerShell", "CISA AA23-347A", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Hermetic Wiper", "Malicious PowerShell", "CISA AA23-347A", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -35266,7 +35956,7 @@ search = `powershell` EventCode=4104 ScriptBlockText IN (*get-netdomaintrust*, * action.escu = 0 action.escu.enabled = 1 description = This analytic utilizes PowerShell Script Block Logging (EventCode 4104) to identify the use of Enable-PSRemoting cmdlet. This cmdlet allows users to enable PowerShell remoting on a local or remote computer, which allows other computers to run commands on the target computer. The ability to remotely execute commands can be abused by attackers to take control of compromised systems and pivot to other systems on the network. By detecting the use of Enable-PSRemoting cmdlet via script block logging, this analytic can help organizations identify potential malicious activity related to attackers attempting to gain remote control of compromised systems. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic utilizes PowerShell Script Block Logging (EventCode 4104) to identify the use of Enable-PSRemoting cmdlet. This cmdlet allows users to enable PowerShell remoting on a local or remote computer, which allows other computers to run commands on the target computer. The ability to remotely execute commands can be abused by attackers to take control of compromised systems and pivot to other systems on the network. By detecting the use of Enable-PSRemoting cmdlet via script block logging, this analytic can help organizations identify potential malicious activity related to attackers attempting to gain remote control of compromised systems. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -35289,7 +35979,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell Enable PowerShell Remoting - Rule -action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -35306,7 +35996,7 @@ search = `powershell` EventCode=4104 ScriptBlockText="*Enable-PSRemoting*" | sta action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious enabling of smb1protocol through `powershell.exe`. This technique was seen in some ransomware (like reddot) where it enable smb share to do the lateral movement and encrypt other files within the compromise network system. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1027", "T1027.005"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027", "T1027.005"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a suspicious enabling of smb1protocol through `powershell.exe`. This technique was seen in some ransomware (like reddot) where it enable smb share to do the lateral movement and encrypt other files within the compromise network system. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. @@ -35329,7 +36019,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Enable SMB1Protocol Feature - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1027", "T1027.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027", "T1027.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -35352,7 +36042,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = "*Enable-WindowsOptionalF action.escu = 0 action.escu.enabled = 1 description = This search is to detect a COM CLSID execution through powershell. This technique was seen in several adversaries and malware like ransomware conti where it has a feature to execute command using COM Object. This technique may use by network operator at some cases but a good indicator if some application want to gain privilege escalation or bypass uac. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.015", "T1546", "T1059.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.015", "T1546", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a COM CLSID execution through powershell. This technique was seen in several adversaries and malware like ransomware conti where it has a feature to execute command using COM Object. This technique may use by network operator at some cases but a good indicator if some application want to gain privilege escalation or bypass uac. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -35375,7 +36065,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Execute COM Object - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "mitre_attack": ["T1546.015", "T1546", "T1059.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.015", "T1546", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -35401,7 +36091,7 @@ description = The following analytic utilizes PowerShell Script Block Logging (E This analytic identifies `GetProcAddress` in the script block. This is not normal to be used by most PowerShell scripts and is typically unsafe/malicious. Many attack toolkits use GetProcAddress to obtain code execution. \ In use, `$var_gpa = $var_unsafe_native_methods.GetMethod(GetProcAddress` and later referenced/executed elsewhere. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1055", "T1059.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1059", "T1055", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ This analytic identifies `GetProcAddress` in the script block. This is not normal to be used by most PowerShell scripts and is typically unsafe/malicious. Many attack toolkits use GetProcAddress to obtain code execution. \ @@ -35427,7 +36117,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule -action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "mitre_attack": ["T1059", "T1055", "T1059.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1059", "T1055", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -35456,7 +36146,7 @@ description = The following analytic utilizes PowerShell Script Block Logging (E This analytic identifies `FromBase64String` within the script block. A typical malicious instance will include additional code. \ Command example - `[Byte[]]$var_code = [System.Convert]::FromBase64String(38uqIyMjQ6rG....` \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1027", "T1059.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1059", "T1027", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies `FromBase64String` within the script block. A typical malicious instance will include additional code. \ @@ -35482,7 +36172,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule -action.correlationsearch.annotations = {"analytic_story": ["Hermetic Wiper", "Malicious PowerShell", "Winter Vivern", "AsyncRAT", "Data Destruction", "IcedID", "NjRAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1059", "T1027", "T1059.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Hermetic Wiper", "Malicious PowerShell", "Winter Vivern", "AsyncRAT", "Data Destruction", "IcedID", "NjRAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1059", "T1027", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -35508,7 +36198,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = "*frombase64string*" OR S action.escu = 0 action.escu.enabled = 1 description = The following hunting analytic identifies the use of `get-localgroup` being used with PowerShell to identify local groups on the endpoint. During triage, review parallel processes and identify any further suspicious behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following hunting analytic identifies the use of `get-localgroup` being used with PowerShell to identify local groups on the endpoint. During triage, review parallel processes and identify any further suspicious behavior. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -35526,7 +36216,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell Get LocalGroup Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -35545,7 +36235,7 @@ action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies PowerShell cmdlet - `get-localgroup` being ran. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies PowerShell cmdlet - `get-localgroup` being ran. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \ @@ -35565,7 +36255,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Get LocalGroup Discovery with Script Block Logging - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -35582,7 +36272,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = "*get-localgroup*" | stat action.escu = 0 action.escu.enabled = 1 description = This analytic identifies the use of the New-CIMSession cmdlet being created along with the Invoke-CIMMethod cmdlet being used within PowerShell. This particular behavior is similar to the usage of the Invoke-WMIMethod cmdlet, which is known for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. The New-CIMSession cmdlet allows users to create a new CIM session object for a specified computer system, which can then be used to execute CIM operations remotely. Similarly, the Invoke-CIMMethod cmdlet is used to invoke a specified method on one or more CIM objects. Therefore, the combination of New-CIMSession and Invoke-CIMMethod cmdlets in PowerShell can potentially indicate malicious behavior, and this analytic can help detect such activity. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1047"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies the use of the New-CIMSession cmdlet being created along with the Invoke-CIMMethod cmdlet being used within PowerShell. This particular behavior is similar to the usage of the Invoke-WMIMethod cmdlet, which is known for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. The New-CIMSession cmdlet allows users to create a new CIM session object for a specified computer system, which can then be used to execute CIM operations remotely. Similarly, the Invoke-CIMMethod cmdlet is used to invoke a specified method on one or more CIM objects. Therefore, the combination of New-CIMSession and Invoke-CIMMethod cmdlets in PowerShell can potentially indicate malicious behavior, and this analytic can help detect such activity. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -35605,7 +36295,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell Invoke CIMMethod CIMSession - Rule -action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1047"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -35622,7 +36312,7 @@ search = `powershell` EventCode=4104 ScriptBlockText IN ("*invoke-CIMMethod*", " action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the usage of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). The utility is used for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the usage of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). The utility is used for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -35645,7 +36335,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell Invoke WmiExec Usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -35670,7 +36360,7 @@ action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies "MSF.Powershell","MSF.Powershell.Meterpreter","MSF.Powershell.Meterpreter.Kiwi","MSF.Powershell.Meterpreter.Transport" being used. This behavior is related to when a Meterpreter session is started and the operator runs load_kiwi. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies "MSF.Powershell","MSF.Powershell.Meterpreter","MSF.Powershell.Meterpreter.Kiwi","MSF.Powershell.Meterpreter.Transport" being used. This behavior is related to when a Meterpreter session is started and the operator runs load_kiwi. \ @@ -35695,7 +36385,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Load Module in Meterpreter - Rule -action.correlationsearch.annotations = {"analytic_story": ["MetaSploit"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["MetaSploit"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -35722,7 +36412,7 @@ action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ This analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. \ @@ -35747,7 +36437,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Winter Vivern", "AgentTesla", "AsyncRAT", "Hermetic Wiper", "Malicious PowerShell", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Winter Vivern", "AgentTesla", "AsyncRAT", "Hermetic Wiper", "Malicious PowerShell", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -35772,7 +36462,7 @@ search = `powershell` EventCode=4104 ScriptBlockText IN ("*[system.reflection.as action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing compressed stream data. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are stream flattened and will be deflated durnig execution. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing compressed stream data. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are stream flattened and will be deflated durnig execution. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -35795,7 +36485,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Processing Stream Of Data - Rule -action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "AsyncRAT", "Hermetic Wiper", "Data Destruction", "IcedID"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "AsyncRAT", "Hermetic Wiper", "Data Destruction", "IcedID"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -35818,7 +36508,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = "*IO.Compression.*" OR Sc action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains command to add or modify the trustedhost configuration in Windows OS. This behavior raises concerns due to the nature of modifications made to the 'TrustedHost' configuration, which typically involves adjusting settings crucial for remote connections and security protocols. Alterations in this area could potentially indicate attempts to manipulate trusted hosts or systems for unauthorized remote access, a tactic commonly observed in various unauthorized access or compromise attempts. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1021.006", "T1021"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.006", "T1021"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains command to add or modify the trustedhost configuration in Windows OS. This behavior raises concerns due to the nature of modifications made to the 'TrustedHost' configuration, which typically involves adjusting settings crucial for remote connections and security protocols. Alterations in this area could potentially indicate attempts to manipulate trusted hosts or systems for unauthorized remote access, a tactic commonly observed in various unauthorized access or compromise attempts. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -35841,7 +36531,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Remote Services Add TrustedHost - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1021.006", "T1021"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.006", "T1021"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -35864,7 +36554,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = "*WSMan:\\localhost\\Cli action.escu = 0 action.escu.enabled = 1 description = this search is designed to detect suspicious powershell process that tries to inject code and to known/critical windows process and execute it using CreateRemoteThread. This technique is seen in several malware like trickbot and offensive tooling like cobaltstrike where it load a shellcode to svchost.exe to execute reverse shell to c2 and download another payload -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = this search is designed to detect suspicious powershell process that tries to inject code and to known/critical windows process and execute it using CreateRemoteThread. This technique is seen in several malware like trickbot and offensive tooling like cobaltstrike where it load a shellcode to svchost.exe to execute reverse shell to c2 and download another payload action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, Create Remote thread from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of create remote thread may be used. @@ -35887,7 +36577,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Remote Thread To Known Windows Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trickbot"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Trickbot"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -35910,7 +36600,7 @@ search = `sysmon` EventCode = 8 parent_process_name IN ("powershell_ise.exe", "p action.escu = 0 action.escu.enabled = 1 description = This analytic will identify a suspicious PowerShell command used to delete the Windows Defender folder. This technique was seen used by the WhisperGate malware campaign where it used Nirsofts advancedrun.exe to gain administrative privileges to then execute a PowerShell command to delete the Windows Defender folder. This is a good indicator the offending process is trying corrupt a Windows Defender installation. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic will identify a suspicious PowerShell command used to delete the Windows Defender folder. This technique was seen used by the WhisperGate malware campaign where it used Nirsofts advancedrun.exe to gain administrative privileges to then execute a PowerShell command to delete the Windows Defender folder. This is a good indicator the offending process is trying corrupt a Windows Defender installation. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -35933,7 +36623,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Remove Windows Defender Directory - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -35956,7 +36646,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = "*rmdir *" AND ScriptBloc action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains multiple URLs within a function or array. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are attempting to download 2nd stage payloads. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.001", "T1105"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Command and Control"], "mitre_attack": ["T1059.001", "T1105"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains multiple URLs within a function or array. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are attempting to download 2nd stage payloads. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. action.escu.how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. @@ -35971,7 +36661,7 @@ action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Malicious PowerShell"] action.risk = 1 action.risk.param._risk_message = A suspicious powershell script used by $user$ on host $dest$ contains $url_count$ URLs in an array, this is commonly used for malware. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"threat_object_field": "file_name", "threat_object_type": "file name"}, {"threat_object_field": "url", "threat_object_type": "url string"}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}, {"threat_object_field": "url", "threat_object_type": "url"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -35979,7 +36669,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell Script Block With URL Chain - Rule -action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "mitre_attack": ["T1059.001", "T1105"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Installation", "Command and Control"], "mitre_attack": ["T1059.001", "T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -36002,7 +36692,7 @@ search = `powershell` EventCode=4104 ScriptBlockText IN ("*http:*","*https:*") | action.escu = 0 action.escu.enabled = 1 description = Start-BitsTransfer is the PowerShell "version" of BitsAdmin.exe. Similar functionality is present. This technique variation is not as commonly used by adversaries, but has been abused in the past. Lesser known uses include the ability to set the `-TransferType` to `Upload` for exfiltration of files. In an instance where `Upload` is used, it is highly possible files will be archived. During triage, review parallel processes and process lineage. Capture any files on disk and review. For the remote domain or IP, what is the reputation? -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1197"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1197"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Start-BitsTransfer is the PowerShell "version" of BitsAdmin.exe. Similar functionality is present. This technique variation is not as commonly used by adversaries, but has been abused in the past. Lesser known uses include the ability to set the `-TransferType` to `Upload` for exfiltration of files. In an instance where `Upload` is used, it is highly possible files will be archived. During triage, review parallel processes and process lineage. Capture any files on disk and review. For the remote domain or IP, what is the reputation? action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -36025,7 +36715,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell Start-BitsTransfer - Rule -action.correlationsearch.annotations = {"analytic_story": ["BITS Jobs"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1197"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["BITS Jobs"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1197"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -36048,7 +36738,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic identifies the use of PowerShell's Start-Service or Stop-Service cmdlets on an endpoint. These cmdlets allow users to start or stop a specified Windows service. The ability to manipulate services can be leveraged by attackers to disable or stop critical services, which can cause system instability or disrupt business operations. By detecting the use of Start-Service or Stop-Service cmdlets via PowerShell, this analytic can help organizations identify potential malicious activity related to attackers attempting to manipulate services on compromised systems. However, note that this behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies the use of PowerShell's Start-Service or Stop-Service cmdlets on an endpoint. These cmdlets allow users to start or stop a specified Windows service. The ability to manipulate services can be leveraged by attackers to disable or stop critical services, which can cause system instability or disrupt business operations. By detecting the use of Start-Service or Stop-Service cmdlets via PowerShell, this analytic can help organizations identify potential malicious activity related to attackers attempting to manipulate services on compromised systems. However, note that this behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -36071,7 +36761,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell Start or Stop Service - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 20, "impact": 50, "mitre_attack": ["T1059.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 20, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -36088,7 +36778,7 @@ search = `powershell` EventCode=4104 ScriptBlockText IN ("*start-service*", "*st action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using memory stream as new object backstore. The malicious PowerShell script will contain stream flate data and will be decompressed in memory to run or drop the actual payload. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using memory stream as new object backstore. The malicious PowerShell script will contain stream flate data and will be decompressed in memory to run or drop the actual payload. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -36111,7 +36801,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Using memory As Backing Store - Rule -action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction", "IcedID"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction", "IcedID"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.001", "T1059"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -36134,7 +36824,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = *New-Object* ScriptBlockT action.escu = 0 action.escu.enabled = 1 description = This analytic identifies a common fileless malware staging technique of using .NET classes to directly download a URL payload into memory. The analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.001", "T1105", "T1027.011"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Command and Control", "Exploitation"], "mitre_attack": ["T1059.001", "T1105", "T1027.011"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies a common fileless malware staging technique of using .NET classes to directly download a URL payload into memory. The analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. action.escu.how_to_implement = The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. @@ -36149,7 +36839,7 @@ action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Malicious PowerShell"] action.risk = 1 action.risk.param._risk_message = Powershell webrequest to memory stream behavior. Possible fileless malware staging on $dest$ by $user$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"threat_object_field": "file_name", "threat_object_type": "file name"}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -36157,7 +36847,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PowerShell WebRequest Using Memory Stream - Rule -action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "mitre_attack": ["T1059.001", "T1105", "T1027.011"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Installation", "Command and Control", "Exploitation"], "mitre_attack": ["T1059.001", "T1105", "T1027.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -36180,7 +36870,7 @@ search = `powershell` EventCode=4104 ScriptBlockText IN ("*system.net.webclient action.escu = 0 action.escu.enabled = 1 description = This analytic will detect a suspicious process commandline related to windows defender exclusion feature. This command is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic will detect a suspicious process commandline related to windows defender exclusion feature. This command is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. @@ -36203,7 +36893,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Powershell Windows Defender Exclusion Commands - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-320A", "AgentTesla", "Remcos", "Windows Defense Evasion Tactics", "Data Destruction", "WhisperGate", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-320A", "AgentTesla", "Remcos", "Windows Defense Evasion Tactics", "Data Destruction", "WhisperGate", "Warzone RAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -36226,7 +36916,7 @@ search = `powershell` EventCode=4104 (Message = "*Add-MpPreference *" OR Message action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious bcdedit.exe execution to ignore all failures. This technique was used by ransomware to prevent the compromise machine automatically boot in repair mode. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious bcdedit.exe execution to ignore all failures. This technique was used by ransomware to prevent the compromise machine automatically boot in repair mode. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -36249,7 +36939,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Chaos Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Chaos Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -36272,7 +36962,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This analytic is to detect a suspicious modification or new registry entry regarding print processor. This registry is known to be abuse by turla or other APT to gain persistence and privilege escalation to the compromised machine. This is done by adding the malicious dll payload on the new created key in this registry that will be executed as it restarted the spoolsv.exe process and services. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious modification or new registry entry regarding print processor. This registry is known to be abuse by turla or other APT to gain persistence and privilege escalation to the compromised machine. This is done by adding the malicious dll payload on the new created key in this registry that will be executed as it restarted the spoolsv.exe process and services. action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. @@ -36295,7 +36985,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Print Processor Registry Autostart - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Windows Privilege Escalation", "Hermetic Wiper", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Windows Privilege Escalation", "Hermetic Wiper", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -36320,7 +37010,7 @@ action.escu.enabled = 1 description = The following analytic identifies new printer drivers being load by utilizing the Windows PrintService operational logs, EventCode 316. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. \ Within the proof of concept code, the following event will occur - "Printer driver 1234 for Windows x64 Version-3 was added or updated. Files:- UNIDRV.DLL, kernelbase.dll, evil.dll. No user action is required." \ During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events and review the source of where the exploitation began. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies new printer drivers being load by utilizing the Windows PrintService operational logs, EventCode 316. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. \ Within the proof of concept code, the following event will occur - "Printer driver 1234 for Windows x64 Version-3 was added or updated. Files:- UNIDRV.DLL, kernelbase.dll, evil.dll. No user action is required." \ @@ -36345,7 +37035,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Print Spooler Adding A Printer Driver - Rule -action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527", "CVE-2021-1675"], "impact": 80, "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527", "CVE-2021-1675"], "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -36373,7 +37063,7 @@ description = The following analytic identifies driver load errors utilizing the Within the proof of concept code, the following error will occur - "The print spooler failed to load a plug-in module C:\Windows\system32\spool\DRIVERS\x64\3\meterpreter.dll, error code 0x45A. See the event user data for context information." \ The analytic is based on file path and failure to load the plug-in. \ During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies driver load errors utilizing the Windows PrintService Admin logs. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. \ Within the proof of concept code, the following error will occur - "The print spooler failed to load a plug-in module C:\Windows\system32\spool\DRIVERS\x64\3\meterpreter.dll, error code 0x45A. See the event user data for context information." \ @@ -36399,7 +37089,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Print Spooler Failed to Load a Plug-in - Rule -action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527", "CVE-2021-1675"], "impact": 80, "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527", "CVE-2021-1675"], "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -36425,7 +37115,7 @@ search = `printservice` ((ErrorCode="0x45A" (EventCode="808" OR EventCode="4909" action.escu = 0 action.escu.enabled = 1 description = This search looks for a process launching an `*.lnk` file under `C:\User*` or `*\Local\Temp\*`. This is common behavior used by various spear phishing tools. -action.escu.mappings = {"cis20": ["CIS 13"], "mitre_attack": ["T1566", "T1566.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for a process launching an `*.lnk` file under `C:\User*` or `*\Local\Temp\*`. This is common behavior used by various spear phishing tools. action.escu.how_to_implement = You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. @@ -36448,7 +37138,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Process Creating LNK file in Suspicious Location - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Qakbot", "IcedID", "Amadey"], "cis20": ["CIS 13"], "confidence": 90, "impact": 70, "mitre_attack": ["T1566", "T1566.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments", "Qakbot", "IcedID", "Amadey"], "cis20": ["CIS 13"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1566", "T1566.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -36471,7 +37161,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This detection is to identify a suspicious process that tries to delete the process file path related to its process. This technique is known to be defense evasion once a certain condition of malware is satisfied or not. Clop ransomware use this technique where it will try to delete its process file path using a .bat command if the keyboard layout is not the layout it tries to infect. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This detection is to identify a suspicious process that tries to delete the process file path related to its process. This technique is known to be defense evasion once a certain condition of malware is satisfied or not. Clop ransomware use this technique where it will try to delete its process file path using a .bat command if the keyboard layout is not the layout it tries to infect. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -36494,7 +37184,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Process Deleting Its Process File Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware", "Data Destruction", "WhisperGate", "Remcos"], "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "mitre_attack": ["T1070"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware", "Data Destruction", "WhisperGate", "Remcos"], "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -36517,7 +37207,7 @@ search = `sysmon` EventCode=1 CommandLine = "* /c *" CommandLine = "* del*" Imag action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies `WmiPrvSE.exe` spawning a process. This typically occurs when a process is instantiated from a local or remote process using `wmic.exe`. During triage, review parallel processes for suspicious behavior or commands executed. Review the process and command-line spawning from `wmiprvse.exe`. Contain and remediate the endpoint as necessary. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies `WmiPrvSE.exe` spawning a process. This typically occurs when a process is instantiated from a local or remote process using `wmic.exe`. During triage, review parallel processes for suspicious behavior or commands executed. Review the process and command-line spawning from `wmiprvse.exe`. Contain and remediate the endpoint as necessary. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -36540,7 +37230,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Process Execution via WMI - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -36563,7 +37253,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of `wmic.exe` using `delete` to remove a executable path. This is typically ran via a batch file during beginning stages of an adversary setting up for mining on an endpoint. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of `wmic.exe` using `delete` to remove a executable path. This is typically ran via a batch file during beginning stages of an adversary setting up for mining on an endpoint. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -36586,7 +37276,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Process Kill Base On File Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["XMRig"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["XMRig"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -36609,7 +37299,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as action.escu = 0 action.escu.enabled = 1 description = DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, a binary writing dynwrapx.dll to disk and registering it into the registry is highly suspect. Why is it needed? In most malicious instances, it will be written to disk at a non-standard location. During triage, review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This will identify the process that will invoke vbs/wscript/cscript. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1559.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1559.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, a binary writing dynwrapx.dll to disk and registering it into the registry is highly suspect. Why is it needed? In most malicious instances, it will be written to disk at a non-standard location. During triage, review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This will identify the process that will invoke vbs/wscript/cscript. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. @@ -36627,7 +37317,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Process Writing DynamicWrapperX - Rule -action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1059", "T1559.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1559.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -36644,7 +37334,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -36667,7 +37357,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Processes launching netsh - Rule -action.correlationsearch.annotations = {"analytic_story": ["Netsh Abuse", "Disabling Security Tools", "DHS Report TA18-074A", "Azorult", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 20, "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Netsh Abuse", "Disabling Security Tools", "DHS Report TA18-074A", "Azorult", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 20, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.004", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -36730,7 +37420,7 @@ search = | from datamodel Alerts.Alerts | search app=osquery:results name=pack_o action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following hunting analytic leverages Event ID 4698, `A scheduled task was created`, to identify the creation of a Scheduled Task with a suspicious, high entropy, Task Name. To achieve this, this analytic also leverages the `ut_shannon` function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Task Scheduler to create and start a remote Scheduled Task and obtain remote code execution. To achieve this goal, tools like Impacket or Crapmapexec, typically create a Scheduled Task with a random task name on the victim host. This hunting analytic may help defenders identify Scheduled Tasks created as part of a lateral movement attack. The entropy threshold `ut_shannon > 3` should be customized by users. The Command field can be used to determine if the task has malicious intent or not. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following hunting analytic leverages Event ID 4698, `A scheduled task was created`, to identify the creation of a Scheduled Task with a suspicious, high entropy, Task Name. To achieve this, this analytic also leverages the `ut_shannon` function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Task Scheduler to create and start a remote Scheduled Task and obtain remote code execution. To achieve this goal, tools like Impacket or Crapmapexec, typically create a Scheduled Task with a random task name on the victim host. This hunting analytic may help defenders identify Scheduled Tasks created as part of a lateral movement attack. The entropy threshold `ut_shannon > 3` should be customized by users. The Command field can be used to determine if the task has malicious intent or not. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA as well as the URL ToolBox application are also required. @@ -36748,7 +37438,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Randomly Generated Scheduled Task Name - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-257A", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-257A", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -36765,7 +37455,7 @@ search = `wineventlog_security` EventCode=4698 | xmlkv Message | lookup ut_shan action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following hunting analytic leverages Event ID 7045, `A new service was installed in the system`, to identify the installation of a Windows Service with a suspicious, high entropy, Service Name. To achieve this, this analytic also leverages the `ut_shannon` function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Service Control Manager to create and start a remote Windows Service and obtain remote code execution. To achieve this goal, some tools like Metasploit, Cobalt Strike and Impacket, typically create a Windows Service with a random service name on the victim host. This hunting analytic may help defenders identify Windows Services installed as part of a lateral movement attack. The entropy threshold `ut_shannon > 3` should be customized by users. The Service_File_Name field can be used to determine if the Windows Service has malicious intent or not. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following hunting analytic leverages Event ID 7045, `A new service was installed in the system`, to identify the installation of a Windows Service with a suspicious, high entropy, Service Name. To achieve this, this analytic also leverages the `ut_shannon` function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Service Control Manager to create and start a remote Windows Service and obtain remote code execution. To achieve this goal, some tools like Metasploit, Cobalt Strike and Impacket, typically create a Windows Service with a random service name on the victim host. This hunting analytic may help defenders identify Windows Services installed as part of a lateral movement attack. The entropy threshold `ut_shannon > 3` should be customized by users. The Service_File_Name field can be used to determine if the Windows Service has malicious intent or not. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. The Windows TA as well as the URL ToolBox application are also required. @@ -36783,7 +37473,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Randomly Generated Windows Service Name - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -36800,7 +37490,7 @@ search = `wineventlog_system` EventCode=7045 | lookup ut_shannon_lookup word as action.escu = 0 action.escu.enabled = 1 description = The following analytics identifies a big number of instance of ransomware notes (filetype e.g .txt, .html, .hta) file creation to the infected machine. This behavior is a good sensor if the ransomware note filename is quite new for security industry or the ransomware note filename is not in your ransomware lookup table list for monitoring. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytics identifies a big number of instance of ransomware notes (filetype e.g .txt, .html, .hta) file creation to the infected machine. This behavior is a good sensor if the ransomware note filename is quite new for security industry or the ransomware note filename is not in your ransomware lookup table list for monitoring. action.escu.how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. @@ -36823,7 +37513,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Ransomware Notes bulk creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware", "DarkSide Ransomware", "BlackMatter Ransomware", "Chaos Ransomware", "LockBit Ransomware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "mitre_attack": ["T1486"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware", "DarkSide Ransomware", "BlackMatter Ransomware", "Chaos Ransomware", "LockBit Ransomware", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -36840,7 +37530,7 @@ search = `sysmon` EventCode=11 file_name IN ("*\.txt","*\.html","*\.hta") |bin _ action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 performing checks to identify anti-virus products installed on the endpoint. This technique is commonly found in malware and APT events where the adversary will map all running security applications or services. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1592"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies suspicious PowerShell script execution via EventCode 4104 performing checks to identify anti-virus products installed on the endpoint. This technique is commonly found in malware and APT events where the adversary will map all running security applications or services. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -36863,7 +37553,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Recon AVProduct Through Pwh or WMI - Rule -action.correlationsearch.annotations = {"analytic_story": ["Qakbot", "Windows Post-Exploitation", "Hermetic Wiper", "Ransomware", "Prestige Ransomware", "Malicious PowerShell", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1592"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Qakbot", "Windows Post-Exploitation", "Hermetic Wiper", "Ransomware", "Prestige Ransomware", "Malicious PowerShell", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -36886,7 +37576,7 @@ search = `powershell` EventCode=4104 (ScriptBlockText = "*SELECT*" OR ScriptBloc action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies suspicious PowerShell via EventCode 4104, where WMI is performing an event query looking for running processes or running services. This technique is commonly found where the adversary will identify services and system information on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1592", "T1059.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance", "Installation"], "mitre_attack": ["T1592", "T1059.001"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies suspicious PowerShell via EventCode 4104, where WMI is performing an event query looking for running processes or running services. This technique is commonly found where the adversary will identify services and system information on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -36909,7 +37599,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Recon Using WMI Class - Rule -action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Qakbot", "Industroyer2", "Hermetic Wiper", "LockBit Ransomware", "Malicious PowerShell", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 80, "impact": 75, "mitre_attack": ["T1592", "T1059.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Qakbot", "Industroyer2", "Hermetic Wiper", "LockBit Ransomware", "Malicious PowerShell", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 80, "impact": 75, "kill_chain_phases": ["Reconnaissance", "Installation"], "mitre_attack": ["T1592", "T1059.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -36926,7 +37616,7 @@ search = `powershell` EventCode=4104 (ScriptBlockText= "*SELECT*" OR ScriptBlock action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious commandline designed to delete files or directory recursive using batch command. This technique was seen in ransomware (reddot) where it it tries to delete the files in recycle bin to impaire user from recovering deleted files. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious commandline designed to delete files or directory recursive using batch command. This technique was seen in ransomware (reddot) where it it tries to delete the files in recycle bin to impaire user from recovering deleted files. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -36949,7 +37639,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Recursive Delete of Directory In Batch CMD - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.004", "T1070"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -36972,7 +37662,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The search looks for reg.exe modifying registry keys that define Windows services and their configurations. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1574.011", "T1574"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.011", "T1574"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks for reg.exe modifying registry keys that define Windows services and their configurations. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -36995,7 +37685,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Service Abuse", "Windows Persistence Techniques", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 60, "impact": 75, "mitre_attack": ["T1574.011", "T1574"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Service Abuse", "Windows Persistence Techniques", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 60, "impact": 75, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1574.011", "T1574"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -37018,7 +37708,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search looks for registry activity associated with application compatibility shims, which can be leveraged by attackers for various nefarious purposes. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for registry activity associated with application compatibility shims, which can be leveraged by attackers for various nefarious purposes. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -37041,7 +37731,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Registry Keys for Creating SHIM Databases - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -37064,7 +37754,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = The search looks for modifications or alterations made to registry keys that have the potential to initiate the launch of an application or service during system startup. By monitoring and detecting modifications in these registry keys, we can identify suspicious or unauthorized changes that could be indicative of malicious activity. This proactive approach helps in safeguarding the system's integrity and security by promptly identifying and mitigating potential threats that aim to gain persistence or execute malicious actions during the startup process. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks for modifications or alterations made to registry keys that have the potential to initiate the launch of an application or service during system startup. By monitoring and detecting modifications in these registry keys, we can identify suspicious or unauthorized changes that could be indicative of malicious activity. This proactive approach helps in safeguarding the system's integrity and security by promptly identifying and mitigating potential threats that aim to gain persistence or execute malicious actions during the startup process. action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. @@ -37087,7 +37777,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Registry Keys Used For Persistence - Rule -action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Ransomware", "Windows Persistence Techniques", "DarkGate Malware", "NjRAT", "RedLine Stealer", "IcedID", "Sneaky Active Directory Persistence Tricks", "Chaos Ransomware", "Azorult", "DHS Report TA18-074A", "Emotet Malware DHS Report TA18-201A ", "Remcos", "Windows Registry Abuse", "Qakbot", "Suspicious MSHTA Activity", "Suspicious Windows Registry Activities", "Warzone RAT", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Amadey", "BlackByte Ransomware", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 95, "impact": 80, "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Ransomware", "Windows Persistence Techniques", "DarkGate Malware", "NjRAT", "RedLine Stealer", "IcedID", "Sneaky Active Directory Persistence Tricks", "Chaos Ransomware", "Azorult", "DHS Report TA18-074A", "Emotet Malware DHS Report TA18-201A ", "Remcos", "Windows Registry Abuse", "Qakbot", "Suspicious MSHTA Activity", "Suspicious Windows Registry Activities", "Warzone RAT", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Amadey", "BlackByte Ransomware", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 95, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -37110,7 +37800,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under "Image File Execution Options" are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.012", "T1546"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.012", "T1546"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under "Image File Execution Options" are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -37133,7 +37823,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Registry Keys Used For Privilege Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cloud Federated Credential Abuse", "Hermetic Wiper", "Windows Privilege Escalation", "Windows Registry Abuse", "Data Destruction", "Suspicious Windows Registry Activities"], "cis20": ["CIS 10"], "confidence": 95, "impact": 80, "mitre_attack": ["T1546.012", "T1546"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Cloud Federated Credential Abuse", "Hermetic Wiper", "Windows Privilege Escalation", "Windows Registry Abuse", "Data Destruction", "Suspicious Windows Registry Activities"], "cis20": ["CIS 10"], "confidence": 95, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.012", "T1546"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -37156,7 +37846,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a loading of dll using regsvr32 application with silent parameter and dllinstall execution. This technique was seen in several RAT malware similar to remcos, njrat and adversaries to load their malicious DLL on the compromised machine. This TTP may executed by normal 3rd party application so it is better to pivot by the parent process, parent command-line and command-line of the file that execute this regsvr32. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a loading of dll using regsvr32 application with silent parameter and dllinstall execution. This technique was seen in several RAT malware similar to remcos, njrat and adversaries to load their malicious DLL on the compromised machine. This TTP may executed by normal 3rd party application so it is better to pivot by the parent process, parent command-line and command-line of the file that execute this regsvr32. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -37179,7 +37869,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule -action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Hermetic Wiper", "Living Off The Land", "Data Destruction", "Remcos", "Suspicious Regsvr32 Activity"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Hermetic Wiper", "Living Off The Land", "Data Destruction", "Remcos", "Suspicious Regsvr32 Activity"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -37196,7 +37886,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies Regsvr32.exe utilizing the silent switch to load DLLs. This technique has most recently been seen in IcedID campaigns to load its initial dll that will download the 2nd stage loader that will download and decrypt the config payload. The switch type may be either a hyphen `-` or forward slash `/`. This behavior is typically found with `-s`, and it is possible there are more switch types that may be used. \ During triage, review parallel processes and capture any artifacts that may have landed on disk. Isolate and contain the endpoint as necessary. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies Regsvr32.exe utilizing the silent switch to load DLLs. This technique has most recently been seen in IcedID campaigns to load its initial dll that will download the 2nd stage loader that will download and decrypt the config payload. The switch type may be either a hyphen `-` or forward slash `/`. This behavior is typically found with `-s`, and it is possible there are more switch types that may be used. \ During triage, review parallel processes and capture any artifacts that may have landed on disk. Isolate and contain the endpoint as necessary. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -37219,7 +37909,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Suspicious Regsvr32 Activity", "Remcos", "Living Off The Land", "Qakbot", "AsyncRAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Suspicious Regsvr32 Activity", "Remcos", "Living Off The Land", "Qakbot", "AsyncRAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -37236,7 +37926,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the presence of a registry key related to the Remcos RAT agent on a host. This detection is made by a Splunk query to search for instances where the registry key "license" is found in the "Software\Remcos" path. This analytic combines information from two data models: Endpoint.Processes and Endpoint.Registry and retrieves process information such as user, process ID, process name, process path, destination, parent process name, parent process, and process GUID. This analytic also retrieves registry information such as registry path, registry key name, registry value name, registry value data, and process GUID. By joining the process GUID from the Endpoint.Processes data model with the process GUID from the Endpoint.Registry data model, the analytic identifies instances where the "license" registry key is found in the "Software\Remcos" path. This detection is important because it suggests that the host has been compromised by the Remcos RAT agent. Remcos is a well-known remote access Trojan that can be used by attackers to gain unauthorized access to systems and exfiltrate sensitive data. Identifying this behavior allows the SOC to take immediate action to remove the RAT agent and prevent further compromise. The impact of this attack can be severe, as the attacker can gain unauthorized access to the system, steal sensitive information, or use the compromised system as a launching point for further attacks. Next steps include using this analytic in conjunction with other security measures and threat intelligence to ensure accurate detection and response. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the presence of a registry key related to the Remcos RAT agent on a host. This detection is made by a Splunk query to search for instances where the registry key "license" is found in the "Software\Remcos" path. This analytic combines information from two data models: Endpoint.Processes and Endpoint.Registry and retrieves process information such as user, process ID, process name, process path, destination, parent process name, parent process, and process GUID. This analytic also retrieves registry information such as registry path, registry key name, registry value name, registry value data, and process GUID. By joining the process GUID from the Endpoint.Processes data model with the process GUID from the Endpoint.Registry data model, the analytic identifies instances where the "license" registry key is found in the "Software\Remcos" path. This detection is important because it suggests that the host has been compromised by the Remcos RAT agent. Remcos is a well-known remote access Trojan that can be used by attackers to gain unauthorized access to systems and exfiltrate sensitive data. Identifying this behavior allows the SOC to take immediate action to remove the RAT agent and prevent further compromise. The impact of this attack can be severe, as the attacker can gain unauthorized access to the system, steal sensitive information, or use the compromised system as a launching point for further attacks. Next steps include using this analytic in conjunction with other security measures and threat intelligence to ensure accurate detection and response. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -37259,7 +37949,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remcos client registry install entry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Remcos", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Remcos", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -37282,7 +37972,7 @@ search = | tstats `security_content_summariesonly` count min(_time) AS firstTime action.escu = 0 action.escu.enabled = 1 description = This search is to detect file creation in remcos folder in appdata which is the keylog and clipboard logs that will be send to its c2 server. This is really a good TTP indicator that there is a remcos rat in the system that do keylogging, clipboard grabbing and audio recording. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect file creation in remcos folder in appdata which is the keylog and clipboard logs that will be send to its c2 server. This is really a good TTP indicator that there is a remcos rat in the system that do keylogging, clipboard grabbing and audio recording. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -37305,7 +37995,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remcos RAT File Creation in Remcos Folder - Rule -action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "mitre_attack": ["T1113"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -37328,7 +38018,7 @@ search = |tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. This search looks for the remote desktop process mstsc.exe running on systems upon which it doesn't typically run. This is accomplished by filtering out all systems that are noted in the `common_rdp_source category` in the Assets and Identity framework. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for the remote desktop process mstsc.exe running on systems upon which it doesn't typically run. This is accomplished by filtering out all systems that are noted in the `common_rdp_source category` in the Assets and Identity framework. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -37346,7 +38036,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Remote Desktop Process Running On System - Rule -action.correlationsearch.annotations = {"analytic_story": ["Hidden Cobra Malware", "Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Hidden Cobra Malware", "Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021.001", "T1021"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -37363,7 +38053,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM and `powershell.exe` for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM and `powershell.exe` for lateral movement and remote code execution. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -37386,7 +38076,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote Process Instantiation via DCOM and PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "mitre_attack": ["T1021", "T1021.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -37409,7 +38099,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM for lateral movement and remote code execution. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -37432,7 +38122,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote Process Instantiation via DCOM and PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "mitre_attack": ["T1021", "T1021.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -37455,7 +38145,7 @@ search = `powershell` EventCode=4104 (ScriptBlockText="*Document.Application.She action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM and `powershell.exe` for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM and `powershell.exe` for lateral movement and remote code execution. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -37478,7 +38168,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote Process Instantiation via WinRM and PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -37501,7 +38191,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM for lateral movement and remote code execution. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -37524,7 +38214,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote Process Instantiation via WinRM and PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -37547,7 +38237,7 @@ search = `powershell` EventCode=4104 (ScriptBlockText="*Invoke-Command*" AND Scr action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `winrs.exe` with command-line arguments utilized to start a process on a remote endpoint. Red Teams and adversaries alike may abuse the WinRM protocol and this binary for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `winrs.exe` with command-line arguments utilized to start a process on a remote endpoint. Red Teams and adversaries alike may abuse the WinRM protocol and this binary for lateral movement and remote code execution. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -37570,7 +38260,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote Process Instantiation via WinRM and Winrs - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -37593,7 +38283,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic identifies wmic.exe being launched with parameters to spawn a process on a remote system. Red Teams and adversaries alike may abuse WMI and this binary for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies wmic.exe being launched with parameters to spawn a process on a remote system. Red Teams and adversaries alike may abuse WMI and this binary for lateral movement and remote code execution. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -37616,7 +38306,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote Process Instantiation via WMI - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "CISA AA23-347A", "Active Directory Lateral Movement", "Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "CISA AA23-347A", "Active Directory Lateral Movement", "Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -37639,7 +38329,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` leveraging the `Invoke-WmiMethod` commandlet complemented with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and `powershell.exe` for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` leveraging the `Invoke-WmiMethod` commandlet complemented with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and `powershell.exe` for lateral movement and remote code execution. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -37662,7 +38352,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote Process Instantiation via WMI and PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -37685,7 +38375,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Invoke-WmiMethod` commandlet with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and this commandlet for lateral movement and remote code execution. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Invoke-WmiMethod` commandlet with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and this commandlet for lateral movement and remote code execution. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -37708,7 +38398,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote Process Instantiation via WMI and PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -37731,7 +38421,7 @@ search = `powershell` EventCode=4104 ScriptBlockText="*Invoke-WmiMethod*" AND (S action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain computers. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain computers for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain computers. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain computers for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -37754,7 +38444,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote System Discovery with Adsisearcher - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -37777,7 +38467,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = "*adsisearcher*" AND Scri action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover remote systems. The `computer` argument returns a list of all computers registered in the domain. Red Teams and adversaries alike engage in remote system discovery for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover remote systems. The `computer` argument returns a list of all computers registered in the domain. Red Teams and adversaries alike engage in remote system discovery for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -37795,7 +38485,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote System Discovery with Dsquery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1018"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -37812,7 +38502,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to discover remote systems. The argument `domain computers /domain` returns a list of all domain computers. Red Teams and adversaries alike use net.exe to identify remote systems for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to discover remote systems. The argument `domain computers /domain` returns a list of all domain computers. Red Teams and adversaries alike use net.exe to identify remote systems for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -37830,7 +38520,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote System Discovery with Net - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "IcedID"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1018"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "IcedID"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -37847,7 +38537,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command return a list of all the systems registered in the domain. Red Teams and adversaries alike may leverage WMI and wmic.exe to identify remote systems for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command return a list of all the systems registered in the domain. Red Teams and adversaries alike may leverage WMI and wmic.exe to identify remote systems for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -37870,7 +38560,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote System Discovery with Wmic - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -37893,7 +38583,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies usage of `wmic.exe` spawning a local or remote process, identified by the `node` switch. During triage, review parallel processes for additional commands executed. Look for any file modifications before and after `wmic.exe` execution. In addition, identify the remote endpoint and confirm execution or file modifications. Contain and isolate the endpoint as needed. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies usage of `wmic.exe` spawning a local or remote process, identified by the `node` switch. During triage, review parallel processes for additional commands executed. Look for any file modifications before and after `wmic.exe` execution. In addition, identify the remote endpoint and confirm execution or file modifications. Contain and isolate the endpoint as needed. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -37916,7 +38606,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote WMI Command Attempt - Rule -action.correlationsearch.annotations = {"analytic_story": ["Graceful Wipe Out Attack", "Volt Typhoon", "Living Off The Land", "IcedID", "Suspicious WMI Use", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Graceful Wipe Out Attack", "Volt Typhoon", "Living Off The Land", "IcedID", "Suspicious WMI Use", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -37939,7 +38629,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytics identifies the resizing of shadowstorage by ransomware malware to avoid the shadow volumes being made again. this technique is an alternative by ransomware attacker than deleting the shadowstorage which is known alert in defensive team. one example of ransomware that use this technique is CLOP ransomware where it drops a .bat file that will resize the shadowstorage to minimum size as much as possible -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytics identifies the resizing of shadowstorage by ransomware malware to avoid the shadow volumes being made again. this technique is an alternative by ransomware attacker than deleting the shadowstorage which is known alert in defensive team. one example of ransomware that use this technique is CLOP ransomware where it drops a .bat file that will resize the shadowstorage to minimum size as much as possible action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -37962,7 +38652,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Resize ShadowStorage volume - Rule -action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -37985,7 +38675,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as action.escu = 0 action.escu.enabled = 1 description = This analytic identifies suspicious commandline parameter that are commonly used by REVIL ransomware to encrypts the compromise machine. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies suspicious commandline parameter that are commonly used by REVIL ransomware to encrypts the compromise machine. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -38008,7 +38698,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Revil Common Exec Parameter - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "mitre_attack": ["T1204"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -38031,7 +38721,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic identifies suspicious modification in registry entry to keep some malware data during its infection. This technique seen in several apt implant, malware and ransomware like REVIL where it keep some information like the random generated file extension it uses for all the encrypted files and ransomware notes file name in the compromised host. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies suspicious modification in registry entry to keep some malware data during its infection. This technique seen in several apt implant, malware and ransomware like REVIL where it keep some information like the random generated file extension it uses for all the encrypted files and ransomware notes file name in the compromised host. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -38054,7 +38744,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Revil Registry Entry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -38077,7 +38767,7 @@ search = | tstats `security_content_summariesonly` count min(_time) AS firstTime action.escu = 0 action.escu.enabled = 1 description = Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpys Kekeo project and Vincent LE TOUXs MakeMeEnterpriseAdmin project. This analytic looks for the use of Rubeus command line arguments utilized in common Kerberos attacks like exporting and importing tickets, forging silver and golden tickets, requesting a TGT or TGS, kerberoasting, password spraying, etc. Red teams and adversaries alike use Rubeus for Kerberos attacks within Active Directory networks. Defenders should be aware that adversaries may customize the source code of Rubeus and modify the command line parameters. This would effectively bypass this analytic. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1550", "T1550.003", "T1558", "T1558.003", "T1558.004"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003", "T1558", "T1558.003", "T1558.004"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpys Kekeo project and Vincent LE TOUXs MakeMeEnterpriseAdmin project. This analytic looks for the use of Rubeus command line arguments utilized in common Kerberos attacks like exporting and importing tickets, forging silver and golden tickets, requesting a TGT or TGS, kerberoasting, password spraying, etc. Red teams and adversaries alike use Rubeus for Kerberos attacks within Active Directory networks. Defenders should be aware that adversaries may customize the source code of Rubeus and modify the command line parameters. This would effectively bypass this analytic. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -38100,7 +38790,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Rubeus Command Line Parameters - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "CISA AA23-347A", "Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1550", "T1550.003", "T1558", "T1558.003", "T1558.004"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "CISA AA23-347A", "Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003", "T1558", "T1558.003", "T1558.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -38123,7 +38813,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic looks for a process accessing the winlogon.exe system process. The Splunk Threat Research team identified this behavior when using the Rubeus tool to monitor for and export kerberos tickets from memory. Before being able to export tickets. Rubeus will try to escalate privileges to SYSTEM by obtaining a handle to winlogon.exe before trying to monitor for kerberos tickets. Exporting tickets from memory is typically the first step for pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Rubeus to potentially bypass this analytic. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1550", "T1550.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic looks for a process accessing the winlogon.exe system process. The Splunk Threat Research team identified this behavior when using the Rubeus tool to monitor for and export kerberos tickets from memory. Before being able to export tickets. Rubeus will try to escalate privileges to SYSTEM by obtaining a handle to winlogon.exe before trying to monitor for kerberos tickets. Exporting tickets from memory is typically the first step for pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Rubeus to potentially bypass this analytic. action.escu.how_to_implement = This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. @@ -38146,7 +38836,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1550", "T1550.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550", "T1550.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -38169,7 +38859,7 @@ search = `sysmon` EventCode=10 TargetImage=C:\\Windows\\system32\\winlogon.exe action.escu = 0 action.escu.enabled = 1 description = This analytic look for a spawned runas.exe process with a administrator user option parameter. This parameter was abused by adversaries, malware author or even red teams to gain elevated privileges in target host. This is a good hunting query to figure out privilege escalation tactics that may used for different stages like lateral movement but take note that administrator may use this command in purpose so its better to see other event context before and after this analytic. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1134", "T1134.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134", "T1134.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic look for a spawned runas.exe process with a administrator user option parameter. This parameter was abused by adversaries, malware author or even red teams to gain elevated privileges in target host. This is a good hunting query to figure out privilege escalation tactics that may used for different stages like lateral movement but take note that administrator may use this command in purpose so its better to see other event context before and after this analytic. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -38187,7 +38877,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Runas Execution in CommandLine - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1134", "T1134.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134", "T1134.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -38204,7 +38894,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following hunting detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. \ This is written to be a bit more broad by not including .cpl. \ During triage, review parallel processes to identify any further suspicious behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following hunting detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. \ This is written to be a bit more broad by not including .cpl. \ During triage, review parallel processes to identify any further suspicious behavior. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -38222,7 +38912,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Rundll32 Control RunDLL Hunt - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-40444"], "impact": 30, "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-40444"], "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -38239,7 +38929,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type from windows\temp, programdata, or appdata. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. This is written to be a bit more broad by not including .cpl. The paths are specified, add more as needed. During triage, review parallel processes to identify any further suspicious behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type from windows\temp, programdata, or appdata. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. This is written to be a bit more broad by not including .cpl. The paths are specified, add more as needed. During triage, review parallel processes to identify any further suspicious behavior. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -38262,7 +38952,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Rundll32 Control RunDLL World Writable Directory - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-40444"], "impact": 80, "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-40444"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -38285,7 +38975,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic identifies the suspicious Remote Thread execution of rundll32.exe to any process. This technique was seen in IcedID malware to execute its malicious code in normal process for defense evasion and to steal sensitive information in the compromised host. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies the suspicious Remote Thread execution of rundll32.exe to any process. This technique was seen in IcedID malware to execute its malicious code in normal process for defense evasion and to steal sensitive information in the compromised host. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -38308,7 +38998,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Rundll32 Create Remote Thread To A Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -38331,7 +39021,7 @@ search = `sysmon` EventCode=8 SourceImage = "*\\rundll32.exe" TargetImage = "*.e action.escu = 0 action.escu.enabled = 1 description = This analytic identifies the suspicious Remote Thread execution of rundll32.exe process to "firefox.exe" and "chrome.exe" browser. This technique was seen in IcedID malware where it hooks the browser to parse banking information as user used the targetted browser process. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies the suspicious Remote Thread execution of rundll32.exe process to "firefox.exe" and "chrome.exe" browser. This technique was seen in IcedID malware where it hooks the browser to parse banking information as user used the targetted browser process. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -38354,7 +39044,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Rundll32 CreateRemoteThread In Browser - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -38377,7 +39067,7 @@ search = `sysmon` EventCode=8 SourceImage = "*\\rundll32.exe" TargetImage IN ("* action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious rundll32.exe process having a http connection and do a dns query in some web domain. This technique was seen in IcedID malware where the rundll32 that execute its payload will contact amazon.com to check internet connect and to communicate to its C&C server to download config and other file component. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a suspicious rundll32.exe process having a http connection and do a dns query in some web domain. This technique was seen in IcedID malware where the rundll32 that execute its payload will contact amazon.com to check internet connect and to communicate to its C&C server to download config and other file component. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. @@ -38400,7 +39090,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Rundll32 DNSQuery - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -38423,7 +39113,7 @@ search = `sysmon` EventCode=22 process_name="rundll32.exe" | stats count min(_ti action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious rundll32 commandline to lock the workstation through command line. This technique was seen in CONTI leak tooling and script as part of its defense evasion. This technique is not a common practice to lock a screen and maybe a good indicator of compromise. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious rundll32 commandline to lock the workstation through command line. This technique was seen in CONTI leak tooling and script as part of its defense evasion. This technique is not a common practice to lock a screen and maybe a good indicator of compromise. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -38438,7 +39128,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["Ransomware"] action.risk = 1 action.risk.param._risk_message = Process $process_name$ with cmdline $process$ in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"threat_object_field": "process_name", "threat_object_type": "process name"}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -38446,7 +39136,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Rundll32 LockWorkStation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -38463,7 +39153,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious rundll32 process that drops executable (.exe or .dll) files. This behavior seen in rundll32 process of IcedID that tries to drop copy of itself in temp folder or download executable drop it either appdata or programdata as part of its execution. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a suspicious rundll32 process that drops executable (.exe or .dll) files. This behavior seen in rundll32 process of IcedID that tries to drop copy of itself in temp folder or download executable drop it either appdata or programdata as part of its execution. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, TargetFilename, and eventcode 11 executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. @@ -38478,7 +39168,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["IcedID", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = rundll32 process drops a file $file_name$ on host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"threat_object_field": "file_name", "threat_object_type": "file name"}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -38486,7 +39176,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Rundll32 Process Creating Exe Dll Files - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -38509,7 +39199,7 @@ search = `sysmon` EventCode=11 Image="*rundll32.exe" TargetFilename IN ("*.exe", action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious rundll32 commandline to clear shim cache. This technique is a anti-forensic technique to clear the cache taht are one important artifacts in terms of digital forensic during attacks or incident. This TTP is a good indicator that someone tries to evade some tools and clear foothold on the machine. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious rundll32 commandline to clear shim cache. This technique is a anti-forensic technique to clear the cache taht are one important artifacts in terms of digital forensic during attacks or incident. This TTP is a good indicator that someone tries to evade some tools and clear foothold on the machine. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -38532,7 +39222,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Rundll32 Shimcache Flush - Rule -action.correlationsearch.annotations = {"analytic_story": ["Unusual Processes", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1112"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Unusual Processes", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -38555,7 +39245,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies rundll32.exe with no command line arguments and performing a network connection. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint", "Network_Traffic"] action.escu.eli5 = The following analytic identifies rundll32.exe with no command line arguments and performing a network connection. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -38570,7 +39260,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["Suspicious Rundll32 Activity", "Cobalt Strike", "BlackByte Ransomware", "PrintNightmare CVE-2021-34527", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = A rundll32 process $process_name$ with no commandline argument like this process commandline $process$ in host $src$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"threat_object_field": "process_name", "threat_object_type": "process name"}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -38578,7 +39268,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Rundll32 with no Command Line Arguments with Network - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Cobalt Strike", "BlackByte Ransomware", "PrintNightmare CVE-2021-34527", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-34527"], "impact": 70, "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Cobalt Strike", "BlackByte Ransomware", "PrintNightmare CVE-2021-34527", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-34527"], "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -38601,7 +39291,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies rundll32.exe loading an export function by ordinal value. Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly, may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Utilizing ordinal values makes it a bit more complicated for analysts to understand the behavior until the DLL is reviewed. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies rundll32.exe loading an export function by ordinal value. Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly, may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Utilizing ordinal values makes it a bit more complicated for analysts to understand the behavior until the DLL is reviewed. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -38624,7 +39314,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RunDLL Loading DLL By Ordinal - Rule -action.correlationsearch.annotations = {"analytic_story": ["Unusual Processes", "Suspicious Rundll32 Activity", "Living Off The Land", "IcedID"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Unusual Processes", "Suspicious Rundll32 Activity", "Living Off The Land", "IcedID"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -38647,7 +39337,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as action.escu = 0 action.escu.enabled = 1 description = The search looks for files that contain the key word *Ryuk* under any folder in the C drive, which is consistent with Ryuk propagation. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks for files that contain the key word *Ryuk* under any folder in the C drive, which is consistent with Ryuk propagation. action.escu.how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data-model object. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. @@ -38670,7 +39360,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Ryuk Test Files Detected - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ryuk Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "mitre_attack": ["T1486"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ryuk Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -38693,7 +39383,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This Splunk query identifies the use of Wake-on-LAN utilized by Ryuk ransomware. The Ryuk Ransomware uses the Wake-on-Lan feature to turn on powered off devices on a compromised network to have greater success encrypting them. This is a high fidelity indicator of Ryuk ransomware executing on an endpoint. Upon triage, isolate the endpoint. Additional file modification events will be within the users profile (\appdata\roaming) and in public directories (users\public\). Review all Scheduled Tasks on the isolated endpoint and across the fleet. Suspicious Scheduled Tasks will include a path to a unknown binary and those endpoints should be isolated until triaged. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This Splunk query identifies the use of Wake-on-LAN utilized by Ryuk ransomware. The Ryuk Ransomware uses the Wake-on-Lan feature to turn on powered off devices on a compromised network to have greater success encrypting them. This is a high fidelity indicator of Ryuk ransomware executing on an endpoint. Upon triage, isolate the endpoint. Additional file modification events will be within the users profile (\appdata\roaming) and in public directories (users\public\). Review all Scheduled Tasks on the isolated endpoint and across the fleet. Suspicious Scheduled Tasks will include a path to a unknown binary and those endpoints should be isolated until triaged. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -38716,7 +39406,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Ryuk Wake on LAN Command - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ryuk Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ryuk Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -38739,7 +39429,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies access to SAM, SYSTEM or SECURITY databases' within the file path of `windows\system32\config` using Windows Security EventCode 4663. This particular behavior is related to credential access, an attempt to either use a Shadow Copy or recent CVE-2021-36934 to access the SAM database. The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1 and 10 that stores users' passwords. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies access to SAM, SYSTEM or SECURITY databases' within the file path of `windows\system32\config` using Windows Security EventCode 4663. This particular behavior is related to credential access, an attempt to either use a Shadow Copy or recent CVE-2021-36934 to access the SAM database. The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1 and 10 that stores users' passwords. action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." @@ -38757,7 +39447,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - SAM Database File Access Attempt - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-36934"], "impact": 80, "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-36934"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -38774,7 +39464,7 @@ search = `wineventlog_security` (EventCode=4663) process_name!=*\\dllhost.exe O action.escu = 0 action.escu.enabled = 1 description = The search looks for a file named "test.txt" written to the windows system directory tree, which is consistent with Samsam propagation. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The search looks for a file named "test.txt" written to the windows system directory tree, which is consistent with Samsam propagation. action.escu.how_to_implement = You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. @@ -38797,7 +39487,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Samsam Test File Write - Rule -action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware"], "cis20": ["CIS 10"], "confidence": 20, "impact": 60, "mitre_attack": ["T1486"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["SamSam Ransomware"], "cis20": ["CIS 10"], "confidence": 20, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1486"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -38820,7 +39510,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search looks for arguments to sc.exe indicating the creation or modification of a Windows service. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for arguments to sc.exe indicating the creation or modification of a Windows service. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -38843,7 +39533,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Sc exe Manipulating Windows Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Service Abuse", "DHS Report TA18-074A", "Orangeworm Attack Group", "Windows Persistence Techniques", "Disabling Security Tools", "NOBELIUM Group", "Azorult", "Windows Drivers"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Service Abuse", "DHS Report TA18-074A", "Orangeworm Attack Group", "Windows Persistence Techniques", "Disabling Security Tools", "NOBELIUM Group", "Azorult", "Windows Drivers"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -38866,7 +39556,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect an application try to connect and create ADSI Object to do LDAP query. Every time an application connects to the directory and attempts to create an ADSI object, the Active Directory Schema is checked for changes. If it has changed since the last connection, the schema is downloaded and stored in a cache on the local computer either in %LOCALAPPDATA%\Microsoft\Windows\SchCache or %systemroot%\SchCache. We found this a good anomaly use case to detect suspicious application like blackmatter ransomware that use ADS object api to execute ldap query. having a good list of ldap or normal AD query tool used within the network is a good start to reduce the noise. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic is to detect an application try to connect and create ADSI Object to do LDAP query. Every time an application connects to the directory and attempts to create an ADSI object, the Active Directory Schema is checked for changes. If it has changed since the last connection, the schema is downloaded and stored in a cache on the local computer either in %LOCALAPPDATA%\Microsoft\Windows\SchCache or %systemroot%\SchCache. We found this a good anomaly use case to detect suspicious application like blackmatter ransomware that use ADS object api to execute ldap query. having a good list of ldap or normal AD query tool used within the network is a good start to reduce the noise. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -38889,7 +39579,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - SchCache Change By App Connect And Create ADSI Object - Rule -action.correlationsearch.annotations = {"analytic_story": ["blackMatter ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["blackMatter ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -38909,7 +39599,7 @@ description = The following analytic detects the registration of suspicious task The search returns information about the task, such as the task name, command, author, enabled status, hidden status, and arguments. Upon triage, it is important to identify the source of the scheduled task, whether it was registered through schtasks.exe or TaskService. Review the details of the created task and the command to be executed. Capture relevant artifacts on disk and examine them. Additionally, identify any parallel processes occurring within the same timeframe to determine the source of the attack.\ Implementing this analytic requires ingesting logs with information about task schedules, specifically Windows Security Log EventCode 4698, from your endpoints. It is recommended to tune and filter known instances of task schedules used in your environment to minimize false positives.\ Detecting the registration of suspicious tasks with HTTP command arguments is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is found, further investigation is warranted to analyze the nature and purpose of the scheduled task, identify any downloaded files or payloads, and mitigate the associated risks. The impact of a true positive can vary but may include data exfiltration, malware propagation, or unauthorized access to sensitive information. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the registration of suspicious tasks on Windows using the Windows Security EventCode 4698, "A scheduled task was created." It specifically looks for tasks registered through schtasks.exe or TaskService that have command arguments containing the string "HTTP." This behavior is often associated with malware or attacks that utilize Living off the Land binaries (lolbins) to download additional files or payloads to the compromised machine.\ The search returns information about the task, such as the task name, command, author, enabled status, hidden status, and arguments. Upon triage, it is important to identify the source of the scheduled task, whether it was registered through schtasks.exe or TaskService. Review the details of the created task and the command to be executed. Capture relevant artifacts on disk and examine them. Additionally, identify any parallel processes occurring within the same timeframe to determine the source of the attack.\ @@ -38935,7 +39625,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Schedule Task with HTTP Command Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Winter Vivern", "Windows Persistence Techniques", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1053"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Winter Vivern", "Windows Persistence Techniques", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -38964,7 +39654,7 @@ description = The following analytic detects the creation of suspicious tasks in If a true positive is found, it suggests an attacker is trying to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes.\ To implement this analytic, ensure you are ingesting logs with task schedule information from your endpoints. Be aware of potential false positives - legitimate uses of Task Scheduler in your environment may cause benign activities to be flagged.\ Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects the creation of suspicious tasks in Windows, specifically tasks using the rundll32 command. It's implemented using Windows Security EventCode 4698 for A scheduled task was created, and looks for tasks executed either via schtasks.exe or TaskService. This behavior is worth identifying as it is commonly used by malware, such as TrickBot, that leverages rundll32 to execute its downloader.\ If a true positive is found, it suggests an attacker is trying to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes.\ @@ -38990,7 +39680,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Schedule Task with Rundll32 Command Trigger - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques", "Trickbot", "IcedID", "Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "mitre_attack": ["T1053"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques", "Trickbot", "IcedID", "Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -39017,7 +39707,7 @@ action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation of suspicious tasks on a remote Windows endpoint using the at.exe command with command-line arguments. This technique is commonly used by red teams and adversaries for lateral movement and remote code execution. The at.exe binary leverages the deprecated AT protocol, which may still work on previous versions of Windows. Attackers can enable this protocol on demand by modifying a system registry key. It is important to consider potential false positives. While administrators may create scheduled tasks on remote systems, this activity is typically limited to a small set of hosts or users.\ Identifying the creation of scheduled tasks on remote endpoints is crucial for a Security Operations Center (SOC) because it indicates potential unauthorized activity or an attacker attempting to establish persistence or execute malicious code. The impact of a true positive can be significant, leading to unauthorized access, data theft, or other damaging outcomes. During triage, investigate the source and purpose of the scheduled task, inspect relevant on-disk artifacts, and analyze concurrent processes to identify the extent of the attack and take appropriate response actions. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053", "T1053.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the creation of suspicious tasks on a remote Windows endpoint using the at.exe command with command-line arguments. This technique is commonly used by red teams and adversaries for lateral movement and remote code execution. The at.exe binary leverages the deprecated AT protocol, which may still work on previous versions of Windows. Attackers can enable this protocol on demand by modifying a system registry key. It is important to consider potential false positives. While administrators may create scheduled tasks on remote systems, this activity is typically limited to a small set of hosts or users.\ Identifying the creation of scheduled tasks on remote endpoints is crucial for a Security Operations Center (SOC) because it indicates potential unauthorized activity or an attacker attempting to establish persistence or execute malicious code. The impact of a true positive can be significant, leading to unauthorized access, data theft, or other damaging outcomes. During triage, investigate the source and purpose of the scheduled task, inspect relevant on-disk artifacts, and analyze concurrent processes to identify the extent of the attack and take appropriate response actions. @@ -39041,7 +39731,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "mitre_attack": ["T1053", "T1053.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -39065,7 +39755,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic focuses on identifying the creation or deletion of scheduled tasks using the schtasks.exe utility with the corresponding command-line flags (-create or -delete). This technique has been notably associated with threat actors like Dragonfly and the SUNBURST attack against SolarWinds. The purpose of this analytic is to detect suspicious activity related to scheduled tasks that could indicate malicious intent or unauthorized system manipulation. By monitoring for these specific command-line flags, we can enhance our ability to identify potential threats and prevent attacks similar to the use of scheduled tasks in the BadRabbit Ransomware incident. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic focuses on identifying the creation or deletion of scheduled tasks using the schtasks.exe utility with the corresponding command-line flags (-create or -delete). This technique has been notably associated with threat actors like Dragonfly and the SUNBURST attack against SolarWinds. The purpose of this analytic is to detect suspicious activity related to scheduled tasks that could indicate malicious intent or unauthorized system manipulation. By monitoring for these specific command-line flags, we can enhance our ability to identify potential threats and prevent attacks similar to the use of scheduled tasks in the BadRabbit Ransomware incident. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -39077,7 +39767,7 @@ action.escu.full_search_name = ESCU - Scheduled Task Deleted Or Created via CMD action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AsyncRAT", "Winter Vivern", "Windows Persistence Techniques", "Living Off The Land", "Prestige Ransomware", "AgentTesla", "NjRAT", "RedLine Stealer", "Rhysida Ransomware", "Azorult", "DHS Report TA18-074A", "Scheduled Tasks", "Sandworm Tools", "Qakbot", "CISA AA22-257A", "Trickbot", "NOBELIUM Group", "Amadey", "DarkCrystal RAT", "CISA AA23-347A"] +action.escu.analytic_story = ["AsyncRAT", "Winter Vivern", "Windows Persistence Techniques", "Living Off The Land", "Prestige Ransomware", "AgentTesla", "NjRAT", "RedLine Stealer", "Rhysida Ransomware", "Azorult", "DHS Report TA18-074A", "Scheduled Tasks", "Sandworm Tools", "Qakbot", "CISA AA22-257A", "Trickbot", "NOBELIUM Group", "Amadey", "DarkCrystal RAT", "CISA AA23-347A", "Phemedrone Stealer"] action.risk = 1 action.risk.param._risk_message = A schedule task process $process_name$ with create or delete commandline $process$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] @@ -39088,7 +39778,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Scheduled Task Deleted Or Created via CMD - Rule -action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Winter Vivern", "Windows Persistence Techniques", "Living Off The Land", "Prestige Ransomware", "AgentTesla", "NjRAT", "RedLine Stealer", "Rhysida Ransomware", "Azorult", "DHS Report TA18-074A", "Scheduled Tasks", "Sandworm Tools", "Qakbot", "CISA AA22-257A", "Trickbot", "NOBELIUM Group", "Amadey", "DarkCrystal RAT", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Winter Vivern", "Windows Persistence Techniques", "Living Off The Land", "Prestige Ransomware", "AgentTesla", "NjRAT", "RedLine Stealer", "Rhysida Ransomware", "Azorult", "DHS Report TA18-074A", "Scheduled Tasks", "Sandworm Tools", "Qakbot", "CISA AA22-257A", "Trickbot", "NOBELIUM Group", "Amadey", "DarkCrystal RAT", "CISA AA23-347A", "Phemedrone Stealer"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -39111,7 +39801,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = The following analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -39134,7 +39824,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Scheduled Task Initiation on Remote Endpoint - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -39157,7 +39847,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic is designed to detect when a Windows Scheduled Task is executed on demand via shell or command line. Adversaries often force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. This analytic is driven by process-related data, specifically process name, parent process, and command-line executions, sourced from endpoint logs. The search criteria focus on 'schtasks.exe' with an associated 'run' command. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is designed to detect when a Windows Scheduled Task is executed on demand via shell or command line. Adversaries often force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. This analytic is driven by process-related data, specifically process name, parent process, and command-line executions, sourced from endpoint logs. The search criteria focus on 'schtasks.exe' with an associated 'run' command. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -39180,7 +39870,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Schtasks Run Task On Demand - Rule -action.correlationsearch.annotations = {"analytic_story": ["Qakbot", "Industroyer2", "XMRig", "CISA AA22-257A", "Data Destruction", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "mitre_attack": ["T1053"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Qakbot", "Industroyer2", "XMRig", "CISA AA22-257A", "Data Destruction", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -39203,7 +39893,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as action.escu = 0 action.escu.enabled = 1 description = The following analytic is designed to detect suspicious command-line arguments executed through 'schtasks.exe' to create a scheduled task on a remote endpoint. The analytic scans process data, checking for instances where 'schtasks.exe' has been used with specific command-line flags that suggest an attempt at lateral movement or remote code execution, common techniques employed by adversaries and red teams. Key data points include the process name, the specific command line used, the parent process name, the target destination, and the user involved. Also, timestamp data gives context to when these activities occurred. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is designed to detect suspicious command-line arguments executed through 'schtasks.exe' to create a scheduled task on a remote endpoint. The analytic scans process data, checking for instances where 'schtasks.exe' has been used with specific command-line flags that suggest an attempt at lateral movement or remote code execution, common techniques employed by adversaries and red teams. Key data points include the process name, the specific command line used, the parent process name, the target destination, and the user involved. Also, timestamp data gives context to when these activities occurred. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -39215,7 +39905,7 @@ action.escu.full_search_name = ESCU - Schtasks scheduling job on remote system - action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "NOBELIUM Group", "Living Off The Land", "Prestige Ransomware", "Scheduled Tasks", "RedLine Stealer"] +action.escu.analytic_story = ["Active Directory Lateral Movement", "NOBELIUM Group", "Living Off The Land", "Prestige Ransomware", "Scheduled Tasks", "RedLine Stealer", "Phemedrone Stealer"] action.risk = 1 action.risk.param._risk_message = A schedule task process $process_name$ with remote job command-line $process$ in host $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 63}] @@ -39226,7 +39916,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Schtasks scheduling job on remote system - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "NOBELIUM Group", "Living Off The Land", "Prestige Ransomware", "Scheduled Tasks", "RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "NOBELIUM Group", "Living Off The Land", "Prestige Ransomware", "Scheduled Tasks", "RedLine Stealer", "Phemedrone Stealer"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -39249,7 +39939,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes a Splunk query to pinpoint potential threats by monitoring the 'schtasks.exe' command-line usage. This particular command, especially when used in tandem with 'shutdown' and '/create' flags, can suggest an adversarial force intending to schedule unwarranted system reboots. The query focuses on endpoint process data and retrieves details such as the process name, the parent process name, the destination, and the user involved. Essential to the investigation are the earliest and latest timestamps of these events, providing an activity timeline. Data such as the targeted host and initiating user offer valuable context for analyst. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic utilizes a Splunk query to pinpoint potential threats by monitoring the 'schtasks.exe' command-line usage. This particular command, especially when used in tandem with 'shutdown' and '/create' flags, can suggest an adversarial force intending to schedule unwarranted system reboots. The query focuses on endpoint process data and retrieves details such as the process name, the parent process name, the destination, and the user involved. Essential to the investigation are the earliest and latest timestamps of these events, providing an activity timeline. Data such as the targeted host and initiating user offer valuable context for analyst. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -39272,7 +39962,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Schtasks used for forcing a reboot - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques", "Ransomware", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques", "Ransomware", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -39295,7 +39985,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as action.escu = 0 action.escu.enabled = 1 description = This analytic is developed to detect possible event trigger execution through screensaver registry entry modification for persistence or privilege escalation. This technique was seen in several APT and malware where they put the malicious payload path to the SCRNSAVE.EXE registry key to redirect the execution to their malicious payload path. This TTP is a good indicator that some attacker may modify this entry for their persistence and privilege escalation. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1546", "T1546.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546", "T1546.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is developed to detect possible event trigger execution through screensaver registry entry modification for persistence or privilege escalation. This technique was seen in several APT and malware where they put the malicious payload path to the SCRNSAVE.EXE registry key to redirect the execution to their malicious payload path. This TTP is a good indicator that some attacker may modify this entry for their persistence and privilege escalation. action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. @@ -39318,7 +40008,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Screensaver Event Trigger Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Hermetic Wiper", "Windows Privilege Escalation", "Windows Persistence Techniques", "Windows Registry Abuse", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "mitre_attack": ["T1546", "T1546.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Hermetic Wiper", "Windows Privilege Escalation", "Windows Persistence Techniques", "Windows Registry Abuse", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546", "T1546.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -39341,7 +40031,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTim action.escu = 0 action.escu.enabled = 1 description = The following analytic detects any potential misuse of Windows Management Instrumentation (WMI) for malicious purposes since adversaries often use WMI to run scripts which allows them to carry out malicious activities without raising suspicion. The detection is made by monitoring the process 'scrcons.exe', which is essential to run WMI scripts. The detection is important because it proactively identifies and responds to potential threats that leverage WMI for malicious purposes that can lead to system compromise, data exfiltration, or the establishment of persistence within the environment. False positives might occur since administrators might occasionally use WMI to launch scripts for legitimate purposes. Therefore, you must distinguish between malicious and benign activities. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects any potential misuse of Windows Management Instrumentation (WMI) for malicious purposes since adversaries often use WMI to run scripts which allows them to carry out malicious activities without raising suspicion. The detection is made by monitoring the process 'scrcons.exe', which is essential to run WMI scripts. The detection is important because it proactively identifies and responds to potential threats that leverage WMI for malicious purposes that can lead to system compromise, data exfiltration, or the establishment of persistence within the environment. False positives might occur since administrators might occasionally use WMI to launch scripts for legitimate purposes. Therefore, you must distinguish between malicious and benign activities. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -39364,7 +40054,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Script Execution via WMI - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -39387,7 +40077,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious sdclt.exe registry modification. This technique is commonly seen when attacker try to bypassed UAC by using sdclt.exe application by modifying some registry that sdclt.exe tries to open or query with payload file path on it to be executed. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious sdclt.exe registry modification. This technique is commonly seen when attacker try to bypassed UAC by using sdclt.exe application by modifying some registry that sdclt.exe tries to open or query with payload file path on it to be executed. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -39410,7 +40100,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Sdclt UAC Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -39433,7 +40123,7 @@ search = | tstats `security_content_summariesonly` count min(_time) AS firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect the execution of sdelete.exe application sysinternal tools. This tool is one of the most use tool of malware and adversaries to remove or clear their tracks and artifact in the targetted host. This tool is designed to delete securely a file in file system that remove the forensic evidence on the machine. A good TTP query to check why user execute this application which is not a common practice. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect the execution of sdelete.exe application sysinternal tools. This tool is one of the most use tool of malware and adversaries to remove or clear their tracks and artifact in the targetted host. This tool is designed to delete securely a file in file system that remove the forensic evidence on the machine. A good TTP query to check why user execute this application which is not a common practice. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -39456,7 +40146,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Sdelete Application Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Masquerading - Rename System Utilities"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Masquerading - Rename System Utilities"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "mitre_attack": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -39479,7 +40169,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies searchprotocolhost.exe with no command line arguments and with a network connection. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint", "Network_Traffic"] action.escu.eli5 = The following analytic identifies searchprotocolhost.exe with no command line arguments and with a network connection. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -39494,7 +40184,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = A searchprotocolhost.exe process $process_name$ with no commandline in host $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"threat_object_field": "process_name", "threat_object_type": "process name"}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -39502,7 +40192,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - SearchProtocolHost with no Command Line with Network - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -39525,7 +40215,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = The following analytic detects a potential usage of secretsdump.py tool for dumping credentials (ntlm hash) from a copy of ntds.dit and SAM.Security,SYSTEM registrry hive. This technique was seen in some attacker that dump ntlm hashes offline after having a copy of ntds.dit and SAM/SYSTEM/SECURITY registry hive. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects a potential usage of secretsdump.py tool for dumping credentials (ntlm hash) from a copy of ntds.dit and SAM.Security,SYSTEM registrry hive. This technique was seen in some attacker that dump ntlm hashes offline after having a copy of ntds.dit and SAM/SYSTEM/SECURITY registry hive. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -39548,7 +40238,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - SecretDumps Offline NTDS Dumping Tool - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Graceful Wipe Out Attack", "Rhysida Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -39575,7 +40265,7 @@ What is a ServicePrincipleName? \ A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.\ The following analytic identifies the use of KerberosRequestorSecurityToken class within the script block. Using .NET System.IdentityModel.Tokens.KerberosRequestorSecurityToken class in PowerShell is the equivelant of using setspn.exe. \ During triage, review parallel processes for further suspicious activity. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1558.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies `powershell.exe` usage, using Script Block Logging EventCode 4104, related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack. \ What is a ServicePrincipleName? \ @@ -39602,7 +40292,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - ServicePrincipalNames Discovery with PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Malicious PowerShell", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1558.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Malicious PowerShell", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -39636,7 +40326,7 @@ Example usage includes the following \ Values \ 1. -F = perform queries at the forest, rather than domain level 1. -T = perform query on the specified domain or forest (when -F is also used) 1. -Q = query for existence of SPN \ During triage, review parallel processes for further suspicious activity. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1558.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies `setspn.exe` usage related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack. \ What is a ServicePrincipleName? \ @@ -39666,7 +40356,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - ServicePrincipalNames Discovery with SetSPN - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1558.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -39696,7 +40386,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of `svc-exe` with Cobalt Strike. The behavior typically follows after an adversary has already gained initial access and is escalating privileges. Using `svc-exe`, a randomly named binary will be downloaded from the remote Teamserver and placed on disk within `C:\Windows\400619a.exe`. Following, the binary will be added to the registry under key `HKLM\System\CurrentControlSet\Services\400619a\` with multiple keys and values added to look like a legitimate service. Upon loading, `services.exe` will spawn the randomly named binary from `\\127.0.0.1\ADMIN$\400619a.exe`. The process lineage is completed with `400619a.exe` spawning rundll32.exe, which is the default `spawnto_` value for Cobalt Strike. The `spawnto_` value is arbitrary and may be any process on disk (typically system32/syswow64 binary). The `spawnto_` process will also contain a network connection. During triage, review parallel procesess and identify any additional file modifications. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of `svc-exe` with Cobalt Strike. The behavior typically follows after an adversary has already gained initial access and is escalating privileges. Using `svc-exe`, a randomly named binary will be downloaded from the remote Teamserver and placed on disk within `C:\Windows\400619a.exe`. Following, the binary will be added to the registry under key `HKLM\System\CurrentControlSet\Services\400619a\` with multiple keys and values added to look like a legitimate service. Upon loading, `services.exe` will spawn the randomly named binary from `\\127.0.0.1\ADMIN$\400619a.exe`. The process lineage is completed with `400619a.exe` spawning rundll32.exe, which is the default `spawnto_` value for Cobalt Strike. The `spawnto_` value is arbitrary and may be any process on disk (typically system32/syswow64 binary). The `spawnto_` process will also contain a network connection. During triage, review parallel procesess and identify any additional file modifications. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -39719,7 +40409,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Services Escalate Exe - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 95, "impact": 80, "mitre_attack": ["T1548"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 95, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -39742,7 +40432,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies `services.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Service Control Manager and creating a remote malicious service, the executed command is spawned as a child process of `services.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of services.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies `services.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Service Control Manager and creating a remote malicious service, the executed command is spawned as a child process of `services.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of services.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -39765,7 +40455,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Services LOLBAS Execution Process Spawn - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Qakbot", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Qakbot", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543", "T1543.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -39788,7 +40478,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = Monitor for changes of the ExecutionPolicy in the registry to the values "unrestricted" or "bypass," which allows the execution of malicious scripts. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Monitor for changes of the ExecutionPolicy in the registry to the values "unrestricted" or "bypass," which allows the execution of malicious scripts. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -39811,7 +40501,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["HAFNIUM Group", "Hermetic Wiper", "Credential Dumping", "Malicious PowerShell", "Data Destruction", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["HAFNIUM Group", "Hermetic Wiper", "Credential Dumping", "Malicious PowerShell", "Data Destruction", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059", "T1059.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -39834,7 +40524,7 @@ search = | tstats `security_content_summariesonly` count min(_time) AS firstTime action.escu = 0 action.escu.enabled = 1 description = This search looks for shim database files being written to default directories. The sdbinst.exe application is used to install shim database files (.sdb). According to Microsoft, a shim is a small library that transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for shim database files being written to default directories. The sdbinst.exe application is used to install shim database files (.sdb). According to Microsoft, a shim is a small library that transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere. action.escu.how_to_implement = You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. @@ -39857,7 +40547,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Shim Database File Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -39880,7 +40570,7 @@ search = | tstats `security_content_summariesonly` count values(Filesystem.actio action.escu = 0 action.escu.enabled = 1 description = This search detects the process execution and arguments required to silently create a shim database. The sdbinst.exe application is used to install shim database files (.sdb). A shim is a small library which transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search detects the process execution and arguments required to silently create a shim database. The sdbinst.exe application is used to install shim database files (.sdb). A shim is a small library which transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -39903,7 +40593,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Shim Database Installation With Suspicious Parameters - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.011", "T1546"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -39929,7 +40619,7 @@ description = The following analytic utilizes Windows Security EventCode 4698, " To implement this analytic, ensure that you are ingesting Windows Security Event Logs with EventCode 4698 enabled. Additionally, the Windows TA (Technology Add-on) is required to parse and extract the necessary information from the logs.\ It's important to note that while uncommon, legitimate applications may create and delete scheduled tasks within a short duration. Analysts should filter the results based on the specific context and environment to reduce false positives.\ Identifying short-lived scheduled tasks is valuable for a SOC as it can indicate malicious activities attempting to move laterally or execute unauthorized code on Windows systems. By detecting and investigating these events, security analysts can respond promptly to prevent further compromise and mitigate potential risks. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes Windows Security EventCode 4698, "A scheduled task was created," and EventCode 4699, "A scheduled task was deleted," to identify scheduled tasks that are created and deleted within a short time frame of less than 30 seconds. This behavior is indicative of a potential lateral movement attack where the Task Scheduler is abused to achieve code execution. Both red teams and adversaries may exploit the Task Scheduler for lateral movement and remote code execution.\ To implement this analytic, ensure that you are ingesting Windows Security Event Logs with EventCode 4698 enabled. Additionally, the Windows TA (Technology Add-on) is required to parse and extract the necessary information from the logs.\ @@ -39955,7 +40645,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Short Lived Scheduled Task - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Active Directory Lateral Movement", "Scheduled Tasks", "CISA AA22-257A"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Active Directory Lateral Movement", "Scheduled Tasks", "CISA AA22-257A"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -39981,7 +40671,7 @@ search = `wineventlog_security` EventCode=4698 OR EventCode=4699 | xmlkv Messag action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the creation and deletion of accounts in a short time period to identify potential threats earlier and take appropriate actions to mitigate the risks. Helps prevent or minimize the potential damage caused by unauthorized access or malicious activities within the environment. This detection is made by a Splunk query that searches for events with the result IDs 4720 and 4726 in the "Change" data model. The query then groups the results by time, user, and destination. The result is filtered to only include events with the specified result IDs. The "transaction" command is used to group events that occur within a specified time span and have the same user but are not connected. Finally, the relevant information such as the first and last time of the event, the count, user, destination, and result ID are displayed in a table. This detection is important because it suggests that an attacker is attempting to create and delete accounts rapidly, potentially to cover their tracks or gain unauthorized access. The impact of such an attack can include unauthorized access to sensitive data, privilege escalation, or the ability to carry out further malicious activities within the environment. Next steps include investigating the events flagged by the analytic, review the account creation and deletion activities, and analyze any associated logs or artifacts to determine the intent and impact of the attack. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] action.escu.eli5 = The following analytic detects the creation and deletion of accounts in a short time period to identify potential threats earlier and take appropriate actions to mitigate the risks. Helps prevent or minimize the potential damage caused by unauthorized access or malicious activities within the environment. This detection is made by a Splunk query that searches for events with the result IDs 4720 and 4726 in the "Change" data model. The query then groups the results by time, user, and destination. The result is filtered to only include events with the specified result IDs. The "transaction" command is used to group events that occur within a specified time span and have the same user but are not connected. Finally, the relevant information such as the first and last time of the event, the count, user, destination, and result ID are displayed in a table. This detection is important because it suggests that an attacker is attempting to create and delete accounts rapidly, potentially to cover their tracks or gain unauthorized access. The impact of such an attack can include unauthorized access to sensitive data, privilege escalation, or the ability to carry out further malicious activities within the environment. Next steps include investigating the events flagged by the analytic, review the account creation and deletion activities, and analyze any associated logs or artifacts to determine the intent and impact of the attack. action.escu.how_to_implement = This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/ @@ -40004,7 +40694,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Short Lived Windows Accounts - Rule -action.correlationsearch.annotations = {"analytic_story": ["Account Monitoring and Controls"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Account Monitoring and Controls"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -40027,7 +40717,7 @@ search = | tstats `security_content_summariesonly` values(All_Changes.result_id) action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious modification of registry that may related to UAC bypassed. This registry will be trigger once the attacker abuse the silentcleanup task schedule to gain high privilege execution that will bypass User control account. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious modification of registry that may related to UAC bypassed. This registry will be trigger once the attacker abuse the silentcleanup task schedule to gain high privilege execution that will bypass User control account. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -40050,7 +40740,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - SilentCleanup UAC Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -40073,7 +40763,7 @@ search = | tstats `security_content_summariesonly` count min(_time) AS firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic detects a behavior where a process name consists only of a single letter that helps to detect potential threats earlier and mitigate the risks. This detection is important because it indicates the presence of malware or an attacker attempting to evade detection by using a process name that is difficult to identify or track so that he can carry out malicious activities such as data theft or ransomware attacks. False positives might occur since there might be legitimate uses of single-letter process names in your environment. Next steps include reviewing the process details and investigating any suspicious activity upon triage. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects a behavior where a process name consists only of a single letter that helps to detect potential threats earlier and mitigate the risks. This detection is important because it indicates the presence of malware or an attacker attempting to evade detection by using a process name that is difficult to identify or track so that he can carry out malicious activities such as data theft or ransomware attacks. False positives might occur since there might be legitimate uses of single-letter process names in your environment. Next steps include reviewing the process details and investigating any suspicious activity upon triage. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -40096,7 +40786,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Single Letter Process On Endpoint - Rule -action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["DHS Report TA18-074A"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1204", "T1204.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -40119,7 +40809,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, elevating access using the `-verb runas` function. This particular bypass utilizes a registry key/value. Identified by two sources, the registry keys are `HKCU\Software\Classes\exefile\shell` and `HKCU\Software\Classes\launcher.Systemsettings\Shell\open\command`. To simulate this behavior, multiple POC are available. The analytic identifies the use of `runas` by `slui.exe`. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, elevating access using the `-verb runas` function. This particular bypass utilizes a registry key/value. Identified by two sources, the registry keys are `HKCU\Software\Classes\exefile\shell` and `HKCU\Software\Classes\launcher.Systemsettings\Shell\open\command`. To simulate this behavior, multiple POC are available. The analytic identifies the use of `runas` by `slui.exe`. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -40142,7 +40832,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - SLUI RunAs Elevated - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -40165,7 +40855,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, spawning a child process. This behavior is associated with publicly known UAC bypass. `slui.exe` is commonly associated with software updates and is most often spawned by `svchost.exe`. The `slui.exe` process should not have child processes, and any processes spawning from it will be running with elevated privileges. During triage, review the child process and additional parallel processes. Identify any file modifications that may have lead to the bypass. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, spawning a child process. This behavior is associated with publicly known UAC bypass. `slui.exe` is commonly associated with software updates and is most often spawned by `svchost.exe`. The `slui.exe` process should not have child processes, and any processes spawning from it will be running with elevated privileges. During triage, review the child process and additional parallel processes. Identify any file modifications that may have lead to the bypass. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -40188,7 +40878,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - SLUI Spawning a Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["DarkSide Ransomware", "Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -40251,7 +40941,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a suspicious child process, `rundll32.exe`, with no command-line arguments being spawned from `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to spawn a process. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a suspicious child process, `rundll32.exe`, with no command-line arguments being spawned from `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to spawn a process. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -40274,7 +40964,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Spoolsv Spawning Rundll32 - Rule -action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527"], "impact": 80, "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527"], "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -40297,7 +40987,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search is to detect suspicious loading of dll in specific path relative to printnightmare exploitation. In this search we try to detect the loaded modules made by spoolsv.exe after the exploitation. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect suspicious loading of dll in specific path relative to printnightmare exploitation. In this search we try to detect the loaded modules made by spoolsv.exe after the exploitation. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -40320,7 +41010,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Spoolsv Suspicious Loaded Modules - Rule -action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527"], "impact": 80, "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527"], "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -40343,7 +41033,7 @@ search = `sysmon` EventCode=7 Image ="*\\spoolsv.exe" ImageLoaded="*\\Windows\\S action.escu = 0 action.escu.enabled = 1 description = This analytic identifies a suspicious behavior related to PrintNightmare, or CVE-2021-34527 previously (CVE-2021-1675), to gain privilege escalation on the vulnerable machine. This exploit attacks a critical Windows Print Spooler Vulnerability to elevate privilege. This detection is to look for suspicious process access made by the spoolsv.exe that may related to the attack. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies a suspicious behavior related to PrintNightmare, or CVE-2021-34527 previously (CVE-2021-1675), to gain privilege escalation on the vulnerable machine. This exploit attacks a critical Windows Print Spooler Vulnerability to elevate privilege. This detection is to look for suspicious process access made by the spoolsv.exe that may related to the attack. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with process access event where SourceImage, TargetImage, GrantedAccess and CallTrace executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of spoolsv.exe. @@ -40366,7 +41056,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Spoolsv Suspicious Process Access - Rule -action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527"], "impact": 80, "mitre_attack": ["T1068"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1068"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -40389,7 +41079,7 @@ search = `sysmon` EventCode=10 SourceImage = "*\\spoolsv.exe" CallTrace = "*\\Wi action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\spool\drivers\x64\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\spool\drivers\x64\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. @@ -40412,7 +41102,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Spoolsv Writing a DLL - Rule -action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527"], "impact": 80, "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527"], "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -40435,7 +41125,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously(CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\spool\drivers\x64\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously(CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\spool\drivers\x64\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. @@ -40450,7 +41140,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["PrintNightmare CVE-2021-34527"] action.risk = 1 action.risk.param._risk_message = $process_name$ has been identified writing dll's to $file_path$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"threat_object_field": "process_name", "threat_object_type": "process"}, {"threat_object_field": "file_name", "threat_object_type": "file"}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 72}, {"threat_object_field": "process_name", "threat_object_type": "process"}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -40458,7 +41148,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Spoolsv Writing a DLL - Sysmon - Rule -action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527"], "impact": 80, "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 90, "cve": ["CVE-2021-34527"], "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.012", "T1547"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -40481,7 +41171,7 @@ search = `sysmon` EventID=11 process_name=spoolsv.exe file_path="*\\spool\\drive action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious file creation of sqlite3.dll in %temp% folder. This behavior was seen in IcedID malware where it download sqlite module to parse browser database like for chrome or firefox to stole browser information related to bank, credit card or credentials. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1005"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1005"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a suspicious file creation of sqlite3.dll in %temp% folder. This behavior was seen in IcedID malware where it download sqlite module to parse browser database like for chrome or firefox to stole browser information related to bank, credit card or credentials. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -40504,7 +41194,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Sqlite Module In Temp Folder - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["IcedID"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -40527,7 +41217,7 @@ search = `sysmon` EventCode=11 (TargetFilename = "*\\sqlite32.dll" OR TargetFile action.escu = 0 action.escu.enabled = 1 description = This correlation rule focuses on detecting potential threats associated with MITRE ATT&CK T1649 (Steal or Forge Authentication Certificates). The rule is designed to identify instances where 5 or more analytics related to Windows Certificate Services analytic story that are triggered within a specified time frame, which may indicate a potential attack in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} action.escu.data_models = ["Risk"] action.escu.eli5 = This correlation rule focuses on detecting potential threats associated with MITRE ATT&CK T1649 (Steal or Forge Authentication Certificates). The rule is designed to identify instances where 5 or more analytics related to Windows Certificate Services analytic story that are triggered within a specified time frame, which may indicate a potential attack in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information. action.escu.how_to_implement = The Windows Certificate Services analytic story must have 5 or more analytics enabled. In addition, ensure data is being logged that is required. Modify the correlation as needed based on volume of noise related to the other analytics. @@ -40545,7 +41235,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RIR - Steal or Forge Authentication Certificates Behavior Identified - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "mitre_attack": ["T1649"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Certificate Services"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1649"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -40568,7 +41258,7 @@ search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_ action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The malware sunburst will load the malicious dll by SolarWinds.BusinessLayerHost.exe. After a period of 12-14 days, the malware will attempt to resolve a subdomain of avsvmcloud.com. This detections will correlate both events. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1203"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1203"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The malware sunburst will load the malicious dll by SolarWinds.BusinessLayerHost.exe. After a period of 12-14 days, the malware will attempt to resolve a subdomain of avsvmcloud.com. This detections will correlate both events. action.escu.how_to_implement = This detection relies on sysmon logs with the Event ID 7, Driver loaded. Please tune your sysmon config that you DriverLoad event for SolarWinds.Orion.Core.BusinessLayer.dll is captured by Sysmon. Additionally, you need sysmon logs for Event ID 22, DNS Query. We suggest to run this detection at least once a day over the last 14 days. @@ -40591,7 +41281,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Sunburst Correlation DLL and Network Event - Rule -action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1203"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1203"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -40614,7 +41304,7 @@ search = (`sysmon` EventCode=7 ImageLoaded=*SolarWinds.Orion.Core.BusinessLayer. action.escu = 0 action.escu.enabled = 1 description = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries need to create a new computer account name and rename it to match the name of a domain controller account without the ending '$'. In Windows Active Directory environments, computer account names always end with `$`. This analytic leverages Event Id 4781, `The name of an account was changed`, to identify a computer account rename event with a suspicious name that does not terminate with `$`. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries need to create a new computer account name and rename it to match the name of a domain controller account without the ending '$'. In Windows Active Directory environments, computer account names always end with `$`. This analytic leverages Event Id 4781, `The name of an account was changed`, to identify a computer account rename event with a suspicious name that does not terminate with `$`. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed. @@ -40637,7 +41327,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Computer Account Name Change - Rule -action.correlationsearch.annotations = {"analytic_story": ["sAMAccountName Spoofing and Domain Controller Impersonation", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-42287", "CVE-2021-42278"], "impact": 100, "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["sAMAccountName Spoofing and Domain Controller Impersonation", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-42287", "CVE-2021-42278"], "impact": 100, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -40660,7 +41350,7 @@ search = `wineventlog_security` EventCode=4781 Old_Account_Name="*$" New_Account action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious copy of file from systemroot folder of the windows OS. This technique is commonly used by APT or other malware as part of execution (LOLBIN) to run its malicious code using the available legitimate tool in OS. this type of event may seen or may execute of normal user in some instance but this is really a anomaly that needs to be check within the network. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1036.003", "T1036"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.003", "T1036"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious copy of file from systemroot folder of the windows OS. This technique is commonly used by APT or other malware as part of execution (LOLBIN) to run its malicious code using the available legitimate tool in OS. this type of event may seen or may execute of normal user in some instance but this is really a anomaly that needs to be check within the network. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -40683,7 +41373,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Copy on System32 - Rule -action.correlationsearch.annotations = {"analytic_story": ["Unusual Processes", "Qakbot", "IcedID", "AsyncRAT", "Sandworm Tools", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1036.003", "T1036"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Unusual Processes", "Qakbot", "IcedID", "AsyncRAT", "Sandworm Tools", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036.003", "T1036"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -40706,7 +41396,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies the use of a curl contacting suspicious remote domains to checkin to Command And Control servers or download further implants. In the context of Silver Sparrow, curl is identified contacting s3.amazonaws.com. This particular behavior is common with MacOS adware-malicious software. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of a curl contacting suspicious remote domains to checkin to Command And Control servers or download further implants. In the context of Silver Sparrow, curl is identified contacting s3.amazonaws.com. This particular behavior is common with MacOS adware-malicious software. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -40729,7 +41419,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Suspicious Curl Network Connection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Silver Sparrow", "Ingress Tool Transfer", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Silver Sparrow", "Ingress Tool Transfer", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -40752,7 +41442,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -40775,7 +41465,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious DLLHost no Command Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -40798,7 +41488,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This analytic will detect suspicious driver loaded paths. This technique is commonly used by malicious software like coin miners (xmrig) to register its malicious driver from notable directories where executable or drivers do not commonly exist. During triage, validate this driver is for legitimate business use. Review the metadata and certificate information. Unsigned drivers from non-standard paths is not normal, but occurs. In addition, review driver loads into `ntoskrnl.exe` for possible other drivers of interest. Long tail analyze drivers by path (outside of default, and in default) for further review. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic will detect suspicious driver loaded paths. This technique is commonly used by malicious software like coin miners (xmrig) to register its malicious driver from notable directories where executable or drivers do not commonly exist. During triage, validate this driver is for legitimate business use. Review the metadata and certificate information. Unsigned drivers from non-standard paths is not normal, but occurs. In addition, review driver loads into `ntoskrnl.exe` for possible other drivers of interest. Long tail analyze drivers by path (outside of default, and in default) for further review. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -40813,7 +41503,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["XMRig", "CISA AA22-320A", "AgentTesla", "BlackByte Ransomware"] action.risk = 1 action.risk.param._risk_message = Suspicious driver $file_name$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"threat_object_field": "file_name", "threat_object_type": "file name"}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -40821,7 +41511,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Driver Loaded Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["XMRig", "CISA AA22-320A", "AgentTesla", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["XMRig", "CISA AA22-320A", "AgentTesla", "BlackByte Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.003", "T1543"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -40844,7 +41534,7 @@ search = `sysmon` EventCode=6 ImageLoaded = "*.sys" NOT (ImageLoaded IN("*\\WIND action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes Windows Event ID 1100 to identify when Windows event log service is shutdown. Note that this is a voluminous analytic that will require tuning or restricted to specific endpoints based on criticality. This event generates every time Windows Event Log service has shut down. It also generates during normal system shutdown. During triage, based on time of day and user, determine if this was planned. If not planned, follow through with reviewing parallel alerts and other data sources to determine what else may have occurred. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes Windows Event ID 1100 to identify when Windows event log service is shutdown. Note that this is a voluminous analytic that will require tuning or restricted to specific endpoints based on criticality. This event generates every time Windows Event Log service has shut down. It also generates during normal system shutdown. During triage, based on time of day and user, determine if this was planned. If not planned, follow through with reviewing parallel alerts and other data sources to determine what else may have occurred. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed. @@ -40867,7 +41557,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Event Log Service Behavior - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Log Manipulation", "Ransomware", "Clop Ransomware"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Log Manipulation", "Ransomware", "Clop Ransomware"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070", "T1070.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -40890,7 +41580,7 @@ search = (`wineventlog_security` EventCode=1100) | stats count min(_time) as fir action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies gpupdate.exe with no command line arguments. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies gpupdate.exe with no command line arguments. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -40913,7 +41603,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious GPUpdate no Command Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -40936,7 +41626,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious rundll32.exe commandline to execute dll file. This technique was seen in IcedID malware to load its payload dll with the following parameter to load encrypted dll payload which is the license.dat. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious rundll32.exe commandline to execute dll file. This technique was seen in IcedID malware to load its payload dll with the following parameter to load encrypted dll payload which is the license.dat. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -40959,7 +41649,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious IcedID Rundll32 Cmdline - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -40982,7 +41672,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious creation of image in appdata folder made by process that also has a file reference in appdata folder. This technique was seen in remcos rat that capture screenshot of the compromised machine and place it in the appdata and will be send to its C2 server. This TTP is really a good indicator to check that process because it is in suspicious folder path and image files are not commonly created by user in this folder path. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious creation of image in appdata folder made by process that also has a file reference in appdata folder. This technique was seen in remcos rat that capture screenshot of the compromised machine and place it in the appdata and will be send to its C2 server. This TTP is really a good indicator to check that process because it is in suspicious folder path and image files are not commonly created by user in this folder path. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -41005,7 +41695,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Image Creation In Appdata Folder - Rule -action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1113"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -41028,7 +41718,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will request and obtain a Kerberos Service Ticket (TGS) with a domain controller computer account as the Service Name. This Service Ticket can be then used to take control of the domain controller on the final part of the attack. This analytic leverages Event Id 4769, `A Kerberos service ticket was requested`, to identify an unusual TGS request where the Account_Name requesting the ticket matches the Service_Name field. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will request and obtain a Kerberos Service Ticket (TGS) with a domain controller computer account as the Service Name. This Service Ticket can be then used to take control of the domain controller on the final part of the attack. This analytic leverages Event Id 4769, `A Kerberos service ticket was requested`, to identify an unusual TGS request where the Account_Name requesting the ticket matches the Service_Name field. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. @@ -41051,7 +41741,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Kerberos Service Ticket Request - Rule -action.correlationsearch.annotations = {"analytic_story": ["sAMAccountName Spoofing and Domain Controller Impersonation", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 60, "cve": ["CVE-2021-42287", "CVE-2021-42278"], "impact": 100, "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["sAMAccountName Spoofing and Domain Controller Impersonation", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 60, "cve": ["CVE-2021-42287", "CVE-2021-42278"], "impact": 100, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -41075,7 +41765,7 @@ action.escu = 0 action.escu.enabled = 1 description = This search, detects execution of suspicious bash commands from various commonly leveraged bash scripts like (AutoSUID, LinEnum, LinPeas) to perform discovery of possible paths of privilege execution, password files, vulnerable directories, executables and file permissions on a Linux host.\ The search logic specifically looks for high number of distinct commands run in a short period of time. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.004"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search, detects execution of suspicious bash commands from various commonly leveraged bash scripts like (AutoSUID, LinEnum, LinPeas) to perform discovery of possible paths of privilege execution, password files, vulnerable directories, executables and file permissions on a Linux host.\ The search logic specifically looks for high number of distinct commands run in a short period of time. @@ -41099,7 +41789,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Linux Discovery Commands - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "mitre_attack": ["T1059.004"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Post-Exploitation"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -41123,7 +41813,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a renamed instance of microsoft.workflow.compiler.exe. Microsoft.workflow.compiler.exe is natively found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319 and is rarely utilized. When investigating, identify the executed code on disk and review. A spawned child process from microsoft.workflow.compiler.exe is uncommon. In any instance, microsoft.workflow.compiler.exe spawning from an Office product or any living off the land binary is highly suspect. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1036", "T1127", "T1036.003"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a renamed instance of microsoft.workflow.compiler.exe. Microsoft.workflow.compiler.exe is natively found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319 and is rarely utilized. When investigating, identify the executed code on disk and review. A spawned child process from microsoft.workflow.compiler.exe is uncommon. In any instance, microsoft.workflow.compiler.exe spawning from an Office product or any living off the land binary is highly suspect. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -41141,7 +41831,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious microsoft workflow compiler rename - Rule -action.correlationsearch.annotations = {"analytic_story": ["Masquerading - Rename System Utilities", "Living Off The Land", "Cobalt Strike", "Trusted Developer Utilities Proxy Execution", "BlackByte Ransomware", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1036", "T1127", "T1036.003"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Masquerading - Rename System Utilities", "Living Off The Land", "Cobalt Strike", "Trusted Developer Utilities Proxy Execution", "BlackByte Ransomware", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -41158,7 +41848,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies microsoft.workflow.compiler.exe usage. microsoft.workflow.compiler.exe is natively found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319 and is rarely utilized. When investigating, identify the executed code on disk and review. It is not a commonly used process by many applications. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1127"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies microsoft.workflow.compiler.exe usage. microsoft.workflow.compiler.exe is natively found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319 and is rarely utilized. When investigating, identify the executed code on disk and review. It is not a commonly used process by many applications. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -41181,7 +41871,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious microsoft workflow compiler usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trusted Developer Utilities Proxy Execution", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "mitre_attack": ["T1127"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Trusted Developer Utilities Proxy Execution", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -41204,7 +41894,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies msbuild.exe executing from a non-standard path. Msbuild.exe is natively found in C:\Windows\Microsoft.NET\Framework\v4.0.30319 and C:\Windows\Microsoft.NET\Framework64\v4.0.30319. Instances of Visual Studio will run a copy of msbuild.exe. A moved instance of MSBuild is suspicious, however there are instances of build applications that will move or use a copy of MSBuild. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies msbuild.exe executing from a non-standard path. Msbuild.exe is natively found in C:\Windows\Microsoft.NET\Framework\v4.0.30319 and C:\Windows\Microsoft.NET\Framework64\v4.0.30319. Instances of Visual Studio will run a copy of msbuild.exe. A moved instance of MSBuild is suspicious, however there are instances of build applications that will move or use a copy of MSBuild. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -41227,7 +41917,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious msbuild path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild", "Masquerading - Rename System Utilities", "Living Off The Land", "Cobalt Strike", "BlackByte Ransomware", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild", "Masquerading - Rename System Utilities", "Living Off The Land", "Cobalt Strike", "BlackByte Ransomware", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -41250,7 +41940,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies renamed instances of msbuild.exe executing. Msbuild.exe is natively found in C:\Windows\Microsoft.NET\Framework\v4.0.30319 and C:\Windows\Microsoft.NET\Framework64\v4.0.30319. During investigation, identify the code executed and what is executing a renamed instance of MSBuild. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies renamed instances of msbuild.exe executing. Msbuild.exe is natively found in C:\Windows\Microsoft.NET\Framework\v4.0.30319 and C:\Windows\Microsoft.NET\Framework64\v4.0.30319. During investigation, identify the code executed and what is executing a renamed instance of MSBuild. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -41268,7 +41958,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious MSBuild Rename - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild", "Masquerading - Rename System Utilities", "Living Off The Land", "Cobalt Strike", "BlackByte Ransomware", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild", "Masquerading - Rename System Utilities", "Living Off The Land", "Cobalt Strike", "BlackByte Ransomware", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -41285,7 +41975,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies wmiprvse.exe spawning msbuild.exe. This behavior is indicative of a COM object being utilized to spawn msbuild from wmiprvse.exe. It is common for MSBuild.exe to be spawned from devenv.exe while using Visual Studio. In this instance, there will be command line arguments and file paths. In a malicious instance, MSBuild.exe will spawn from non-standard processes and have no command line arguments. For example, MSBuild.exe spawning from explorer.exe, powershell.exe is far less common and should be investigated. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1127", "T1127.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127", "T1127.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies wmiprvse.exe spawning msbuild.exe. This behavior is indicative of a COM object being utilized to spawn msbuild from wmiprvse.exe. It is common for MSBuild.exe to be spawned from devenv.exe while using Visual Studio. In this instance, there will be command line arguments and file paths. In a malicious instance, MSBuild.exe will spawn from non-standard processes and have no command line arguments. For example, MSBuild.exe spawning from explorer.exe, powershell.exe is far less common and should be investigated. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -41308,7 +41998,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious MSBuild Spawn - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1127", "T1127.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1127", "T1127.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -41331,7 +42021,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies child processes spawning from "mshta.exe". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process "mshta.exe" and its child process. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies child processes spawning from "mshta.exe". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process "mshta.exe" and its child process. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -41354,7 +42044,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious mshta child process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -41377,7 +42067,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies wmiprvse.exe spawning mshta.exe. This behavior is indicative of a DCOM object being utilized to spawn mshta from wmiprvse.exe or svchost.exe. In this instance, adversaries may use LethalHTA that will spawn mshta.exe from svchost.exe. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies wmiprvse.exe spawning mshta.exe. This behavior is indicative of a DCOM object being utilized to spawn mshta from wmiprvse.exe or svchost.exe. In this instance, adversaries may use LethalHTA that will spawn mshta.exe from svchost.exe. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -41400,7 +42090,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious mshta spawn - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -41430,7 +42120,7 @@ description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splu - PlistBuddy -c "Add :ProgramArguments:0 string /bin/sh" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :ProgramArguments:1 string -c" ~/Library/Launchagents/init_verx.plist \ Upon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1543.001", "T1543"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.001", "T1543"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed:\ - PlistBuddy -c "Add :Label string init_verx" ~/Library/Launchagents/init_verx.plist \ @@ -41460,7 +42150,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Suspicious PlistBuddy Usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["Silver Sparrow"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1543.001", "T1543"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Silver Sparrow"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.001", "T1543"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -41497,7 +42187,7 @@ description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splu - PlistBuddy -c "Add :ProgramArguments:0 string /bin/sh" ~/Library/Launchagents/init_verx.plist \ - PlistBuddy -c "Add :ProgramArguments:1 string -c" ~/Library/Launchagents/init_verx.plist \ Upon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1543.001", "T1543"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.001", "T1543"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed:\ - PlistBuddy -c "Add :Label string init_verx" ~/Library/Launchagents/init_verx.plist \ @@ -41527,7 +42217,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Suspicious PlistBuddy Usage via OSquery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Silver Sparrow"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1543.001", "T1543"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Silver Sparrow"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543.001", "T1543"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -41557,7 +42247,7 @@ search = `osquery_process` "columns.cmdline"="*LaunchAgents*" OR "columns.cmdlin action.escu = 0 action.escu.enabled = 1 description = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. action.escu.how_to_implement = This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days. @@ -41569,7 +42259,7 @@ action.escu.full_search_name = ESCU - Suspicious Process DNS Query Known Abuse W action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Data Destruction", "WhisperGate", "Remcos"] +action.escu.analytic_story = ["Data Destruction", "WhisperGate", "Remcos", "Phemedrone Stealer"] action.risk = 1 action.risk.param._risk_message = suspicious process $process_name$ has a dns query in $QueryName$ on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "process_name", "threat_object_type": "process"}] @@ -41580,7 +42270,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "WhisperGate", "Remcos"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "WhisperGate", "Remcos", "Phemedrone Stealer"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -41597,13 +42287,13 @@ relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false -search = `sysmon` EventCode=22 QueryName IN ("*pastebin*", "*discord*", "*telegram*", "*t.me*") process_name IN ("cmd.exe", "*powershell*", "pwsh.exe", "wscript.exe", "cscript.exe") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_dns_query_known_abuse_web_services_filter` +search = `sysmon` EventCode=22 QueryName IN ("*pastebin*", "*discord*", "*api.telegram*","*t.me*") process_name IN ("cmd.exe", "*powershell*", "pwsh.exe", "wscript.exe","cscript.exe") OR Image IN ("*\\users\\public\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_dns_query_known_abuse_web_services_filter` [ESCU - Suspicious Process Executed From Container File - Rule] action.escu = 0 action.escu.enabled = 1 description = This analytic identifies a suspicious process spawned by another process from within common container/archive file types. This technique was a common technique used by adversaries and malware to execute scripts or evade defenses. This TTP may detect some normal software installation or user behaviors where opening archive files is common. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1204.002", "T1036.008"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1204.002", "T1036.008"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies a suspicious process spawned by another process from within common container/archive file types. This technique was a common technique used by adversaries and malware to execute scripts or evade defenses. This TTP may detect some normal software installation or user behaviors where opening archive files is common. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -41618,7 +42308,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["Unusual Processes", "Amadey", "Remcos"] action.risk = 1 action.risk.param._risk_message = A suspicious process $process_name$ was launched from $file_name$ on $dest$. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 16}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 16}, {"threat_object_field": "file_name", "threat_object_type": "file name"}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 16}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 16}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -41626,7 +42316,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Process Executed From Container File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Unusual Processes", "Amadey", "Remcos"], "cis20": ["CIS 10"], "confidence": 20, "impact": 80, "mitre_attack": ["T1204.002", "T1036.008"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Unusual Processes", "Amadey", "Remcos"], "cis20": ["CIS 10"], "confidence": 20, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1204.002", "T1036.008"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -41649,7 +42339,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = This analytic identifies a suspicious processes running in file paths that are not typically associated with legitimate software. Adversaries often employ this technique to drop and execute malicious executables in accessible locations that do not require administrative privileges. By monitoring for processes running in such unconventional file paths, we can identify potential indicators of compromise and proactively respond to malicious activity. This analytic plays a crucial role in enhancing system security by pinpointing suspicious behaviors commonly associated with malware and unauthorized software execution. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies a suspicious processes running in file paths that are not typically associated with legitimate software. Adversaries often employ this technique to drop and execute malicious executables in accessible locations that do not require administrative privileges. By monitoring for processes running in such unconventional file paths, we can identify potential indicators of compromise and proactively respond to malicious activity. This analytic plays a crucial role in enhancing system security by pinpointing suspicious behaviors commonly associated with malware and unauthorized software execution. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -41661,10 +42351,10 @@ action.escu.full_search_name = ESCU - Suspicious Process File Path - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Double Zero Destructor", "Graceful Wipe Out Attack", "AsyncRAT", "WhisperGate", "Prestige Ransomware", "DarkGate Malware", "AgentTesla", "Brute Ratel C4", "RedLine Stealer", "Rhysida Ransomware", "Swift Slicer", "IcedID", "DarkCrystal RAT", "Chaos Ransomware", "PlugX", "Industroyer2", "Azorult", "Remcos", "XMRig", "Qakbot", "Volt Typhoon", "Hermetic Wiper", "Warzone RAT", "Trickbot", "Amadey", "BlackByte Ransomware", "LockBit Ransomware", "CISA AA23-347A", "Data Destruction"] +action.escu.analytic_story = ["Double Zero Destructor", "Graceful Wipe Out Attack", "AsyncRAT", "WhisperGate", "Prestige Ransomware", "DarkGate Malware", "AgentTesla", "Brute Ratel C4", "RedLine Stealer", "Rhysida Ransomware", "Swift Slicer", "IcedID", "DarkCrystal RAT", "Chaos Ransomware", "PlugX", "Industroyer2", "Azorult", "Remcos", "XMRig", "Qakbot", "Volt Typhoon", "Hermetic Wiper", "Warzone RAT", "Trickbot", "Amadey", "BlackByte Ransomware", "LockBit Ransomware", "CISA AA23-347A", "Data Destruction", "Phemedrone Stealer"] action.risk = 1 action.risk.param._risk_message = Suspicious process $process_name$ running from a suspicious process path- $process_path$ on host- $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"threat_object_field": "process_path", "threat_object_type": "process name"}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"threat_object_field": "process_path", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -41672,7 +42362,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Process File Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Double Zero Destructor", "Graceful Wipe Out Attack", "AsyncRAT", "WhisperGate", "Prestige Ransomware", "DarkGate Malware", "AgentTesla", "Brute Ratel C4", "RedLine Stealer", "Rhysida Ransomware", "Swift Slicer", "IcedID", "DarkCrystal RAT", "Chaos Ransomware", "PlugX", "Industroyer2", "Azorult", "Remcos", "XMRig", "Qakbot", "Volt Typhoon", "Hermetic Wiper", "Warzone RAT", "Trickbot", "Amadey", "BlackByte Ransomware", "LockBit Ransomware", "CISA AA23-347A", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "mitre_attack": ["T1543"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Double Zero Destructor", "Graceful Wipe Out Attack", "AsyncRAT", "WhisperGate", "Prestige Ransomware", "DarkGate Malware", "AgentTesla", "Brute Ratel C4", "RedLine Stealer", "Rhysida Ransomware", "Swift Slicer", "IcedID", "DarkCrystal RAT", "Chaos Ransomware", "PlugX", "Industroyer2", "Azorult", "Remcos", "XMRig", "Qakbot", "Volt Typhoon", "Hermetic Wiper", "Warzone RAT", "Trickbot", "Amadey", "BlackByte Ransomware", "LockBit Ransomware", "CISA AA23-347A", "Data Destruction", "Phemedrone Stealer"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -41695,7 +42385,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = This analytic identifies a process making a DNS query to Discord, a well known instant messaging and digital distribution platform. Discord can be abused by adversaries, as seen in the WhisperGate campaign, to host and download malicious. external files. A process resolving a Discord DNS name could be an indicator of malware trying to download files from Discord for further execution. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies a process making a DNS query to Discord, a well known instant messaging and digital distribution platform. Discord can be abused by adversaries, as seen in the WhisperGate campaign, to host and download malicious. external files. A process resolving a Discord DNS name could be an indicator of malware trying to download files from Discord for further execution. action.escu.how_to_implement = his detection relies on sysmon logs with the Event ID 22, DNS Query. @@ -41710,7 +42400,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Data Destruction", "WhisperGate"] action.risk = 1 action.risk.param._risk_message = suspicious process $process_name$ has a dns query in $QueryName$ on $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "process_name", "threat_object_type": "process name"}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "process_name", "threat_object_type": "process"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -41718,7 +42408,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Process With Discord DNS Query - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -41735,7 +42425,7 @@ search = `sysmon` EventCode=22 QueryName IN ("*discord*") Image != "*\\AppData\\ action.escu = 0 action.escu.enabled = 1 description = This search looks for reg.exe being launched from a command prompt not started by the user. When a user launches cmd.exe, the parent process is usually explorer.exe. This search filters out those instances. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for reg.exe being launched from a command prompt not started by the user. When a user launches cmd.exe, the parent process is usually explorer.exe. This search filters out those instances. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -41758,7 +42448,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Reg exe Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Disabling Security Tools", "DHS Report TA18-074A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Disabling Security Tools", "DHS Report TA18-074A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -41775,7 +42465,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = Adversaries may abuse Regsvr32.exe to proxy execution of malicious code by using non-standard file extensions to load DLLs. Upon investigating, look for network connections to remote destinations (internal or external). Review additional parrallel processes and child processes for additional activity. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Adversaries may abuse Regsvr32.exe to proxy execution of malicious code by using non-standard file extensions to load DLLs. Upon investigating, look for network connections to remote destinations (internal or external). Review additional parrallel processes and child processes for additional activity. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -41798,7 +42488,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvr32 Activity", "Icedid", "Living Off The Land", "Qakbot"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvr32 Activity", "Icedid", "Living Off The Land", "Qakbot"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -41821,7 +42511,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies rundll32.exe using dllregisterserver on the command line to load a DLL. When a DLL is registered, the DllRegisterServer method entry point in the DLL is invoked. This is typically seen when a DLL is being registered on the system. Not every instance is considered malicious, but it will capture malicious use of it. During investigation, review the parent process and parrellel processes executing. Capture the DLL being loaded and inspect further. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies rundll32.exe using dllregisterserver on the command line to load a DLL. When a DLL is registered, the DllRegisterServer method entry point in the DLL is invoked. This is typically seen when a DLL is being registered on the system. Not every instance is considered malicious, but it will capture malicious use of it. During investigation, review the parent process and parrellel processes executing. Capture the DLL being loaded and inspect further. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -41844,7 +42534,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Rundll32 dllregisterserver - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Living Off The Land", "IcedID"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Living Off The Land", "IcedID"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -41867,7 +42557,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -41890,7 +42580,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Rundll32 no Command Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Cobalt Strike", "BlackByte Ransomware", "PrintNightmare CVE-2021-34527", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-34527"], "impact": 70, "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Cobalt Strike", "BlackByte Ransomware", "PrintNightmare CVE-2021-34527", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-34527"], "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -41913,7 +42603,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious rundll32.exe process with plugininit parameter. This technique is commonly seen in IcedID malware to execute its initial dll stager to download another payload to the compromised machine. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious rundll32.exe process with plugininit parameter. This technique is commonly seen in IcedID malware to execute its initial dll stager to download another payload to the compromised machine. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -41936,7 +42626,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Rundll32 PluginInit - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["IcedID"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -41959,7 +42649,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies rundll32.exe executing a DLL function name, Start and StartW, on the command line that is commonly observed with Cobalt Strike x86 and x64 DLL payloads. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. Typically, the DLL will be written and loaded from a world writeable path or user location. In most instances it will not have a valid certificate (Unsigned). During investigation, review the parent process and other parallel application execution. Capture and triage the DLL in question. In the instance of Cobalt Strike, rundll32.exe is the default process it opens and injects shellcode into. This default process can be changed, but typically is not. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies rundll32.exe executing a DLL function name, Start and StartW, on the command line that is commonly observed with Cobalt Strike x86 and x64 DLL payloads. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. Typically, the DLL will be written and loaded from a world writeable path or user location. In most instances it will not have a valid certificate (Unsigned). During investigation, review the parent process and other parallel application execution. Capture and triage the DLL in question. In the instance of Cobalt Strike, rundll32.exe is the default process it opens and injects shellcode into. This default process can be changed, but typically is not. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -41982,7 +42672,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Rundll32 StartW - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trickbot", "Suspicious Rundll32 Activity", "Cobalt Strike", "BlackByte Ransomware", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Trickbot", "Suspicious Rundll32 Activity", "Cobalt Strike", "BlackByte Ransomware", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -42006,7 +42696,7 @@ action.escu = 0 action.escu.enabled = 1 description = The following analytic, "Suspicious Scheduled Task from Public Directory", detects the registration of scheduled tasks aimed to execute a binary or script from public directories, a behavior often associated with malware deployment. It utilizes the Sysmon Event ID 1 data source, searching for instances where schtasks.exe is connected with the directories users\public, \programdata\, or \windows\temp and involves the /create command.\ The registration of such scheduled tasks in public directories could suggest that an attacker is trying to maintain persistence or execute malicious scripts. If confirmed as a true positive, this could lead to data compromise, unauthorized access, and potential lateral movement within the network. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic, "Suspicious Scheduled Task from Public Directory", detects the registration of scheduled tasks aimed to execute a binary or script from public directories, a behavior often associated with malware deployment. It utilizes the Sysmon Event ID 1 data source, searching for instances where schtasks.exe is connected with the directories users\public, \programdata\, or \windows\temp and involves the /create command.\ The registration of such scheduled tasks in public directories could suggest that an attacker is trying to maintain persistence or execute malicious scripts. If confirmed as a true positive, this could lead to data compromise, unauthorized access, and potential lateral movement within the network. @@ -42030,7 +42720,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Scheduled Task from Public Directory - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Ryuk Ransomware", "Scheduled Tasks", "Ransomware", "Windows Persistence Techniques", "Living Off The Land", "DarkCrystal RAT", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Ryuk Ransomware", "Scheduled Tasks", "Ransomware", "Windows Persistence Techniques", "Living Off The Land", "DarkCrystal RAT", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -42047,7 +42737,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies searchprotocolhost.exe with no command line arguments. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies searchprotocolhost.exe with no command line arguments. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -42070,7 +42760,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["BlackByte Ransomware", "Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -42093,7 +42783,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic identifies the use of a SQLite3 querying the MacOS preferences to identify the original URL the pkg was downloaded from. This particular behavior is common with MacOS adware-malicious software. Upon triage, review other processes in parallel for suspicious activity. Identify any recent package installations. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1074"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1074"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of a SQLite3 querying the MacOS preferences to identify the original URL the pkg was downloaded from. This particular behavior is common with MacOS adware-malicious software. Upon triage, review other processes in parallel for suspicious activity. Identify any recent package installations. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -42116,7 +42806,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Suspicious SQLite3 LSQuarantine Behavior - Rule -action.correlationsearch.annotations = {"analytic_story": ["Silver Sparrow"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1074"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Silver Sparrow"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1074"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -42139,7 +42829,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will need to request a Kerberos Ticket Granting Ticket (TGT) on behalf of the newly created and renamed computer account. The TGT request will be preceded by a computer account name event. This analytic leverages Event Id 4781, `The name of an account was changed` and event Id 4768 `A Kerberos authentication ticket (TGT) was requested` to correlate a sequence of events where the new computer account on event id 4781 matches the request account on event id 4768. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will need to request a Kerberos Ticket Granting Ticket (TGT) on behalf of the newly created and renamed computer account. The TGT request will be preceded by a computer account name event. This analytic leverages Event Id 4781, `The name of an account was changed` and event Id 4768 `A Kerberos authentication ticket (TGT) was requested` to correlate a sequence of events where the new computer account on event id 4781 matches the request account on event id 4768. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. @@ -42157,7 +42847,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Ticket Granting Ticket Request - Rule -action.correlationsearch.annotations = {"analytic_story": ["sAMAccountName Spoofing and Domain Controller Impersonation", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 60, "impact": 100, "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["sAMAccountName Spoofing and Domain Controller Impersonation", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 60, "impact": 100, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078", "T1078.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -42174,7 +42864,7 @@ search = `wineventlog_security` (EventCode=4781 Old_Account_Name="*$" New_Accou action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious creation of .wav file in appdata folder. This behavior was seen in Remcos RAT malware where it put the audio recording in the appdata\audio folde as part of data collection. this recording can be send to its C2 server as part of its exfiltration to the compromised machine. creation of wav files in this folder path is not a ussual disk place used by user to save audio format file. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious creation of .wav file in appdata folder. This behavior was seen in Remcos RAT malware where it put the audio recording in the appdata\audio folde as part of data collection. this recording can be send to its C2 server as part of its exfiltration to the compromised machine. creation of wav files in this folder path is not a ussual disk place used by user to save audio format file. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, file_name, file_path and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -42197,7 +42887,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious WAV file in Appdata Folder - Rule -action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1113"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1113"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -42220,7 +42910,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = The wevtutil.exe application is the windows event log utility. This searches for wevtutil.exe with parameters for clearing the application, security, setup, trace or system event logs. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1070.001", "T1070"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.001", "T1070"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The wevtutil.exe application is the windows event log utility. This searches for wevtutil.exe with parameters for clearing the application, security, setup, trace or system event logs. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -42243,7 +42933,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious wevtutil Usage - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Log Manipulation", "Ransomware", "Rhysida Ransomware", "Clop Ransomware", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "mitre_attack": ["T1070.001", "T1070"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Log Manipulation", "Ransomware", "Rhysida Ransomware", "Clop Ransomware", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070.001", "T1070"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -42266,7 +42956,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as action.escu = 0 action.escu.enabled = 1 description = The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that utilizes the Endpoint.Filesystem data model and the Endpoint.Processes data model. The query looks for any process writing to the "*$Recycle.Bin*" file path, excluding explorer.exe. This detection is important because it suggests that an attacker is attempting to hide their activities by using the Recycle Bin, which can lead to data theft, ransomware, or other damaging outcomes. Detecting writes to the Recycle Bin by a process other than explorer.exe can help to investigate and determine if the activity is malicious or benign. False positives might occur since there might be legitimate uses of the Recycle Bin by processes other than explorer.exe. Next steps include reviewing the process writing to the Recycle Bin and any relevant on-disk artifacts upon triage. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1036"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that utilizes the Endpoint.Filesystem data model and the Endpoint.Processes data model. The query looks for any process writing to the "*$Recycle.Bin*" file path, excluding explorer.exe. This detection is important because it suggests that an attacker is attempting to hide their activities by using the Recycle Bin, which can lead to data theft, ransomware, or other damaging outcomes. Detecting writes to the Recycle Bin by a process other than explorer.exe can help to investigate and determine if the activity is malicious or benign. False positives might occur since there might be legitimate uses of the Recycle Bin by processes other than explorer.exe. Next steps include reviewing the process writing to the Recycle Bin and any relevant on-disk artifacts upon triage. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on filesystem and process logs responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` nodes. @@ -42289,7 +42979,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious writes to windows Recycle Bin - Rule -action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging", "PlugX"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "mitre_attack": ["T1036"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Collection and Staging", "PlugX"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -42312,7 +43002,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic is designed to spot instances of 'svchost.exe' initiating a Living Off The Land Binaries and Scripts (LOLBAS) execution process. Often, adversaries manipulate Task Scheduler to execute code on remote endpoints, resulting in the spawning of a malicious command as a child process of 'svchost.exe'. By tracking child processes of 'svchost.exe' that align with the LOLBAS project, potential lateral movement activity can be detected. The analytic examines process details, including the process name, parent process, and command-line executions. A comprehensive list of LOLBAS processes is included in the search parameters. Although the analytic might catch legitimate applications exhibiting this behavior, these instances should be filtered accordingly. The findings from this analytic offer valuable insight into potentially malicious activities on an endpoint. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is designed to spot instances of 'svchost.exe' initiating a Living Off The Land Binaries and Scripts (LOLBAS) execution process. Often, adversaries manipulate Task Scheduler to execute code on remote endpoints, resulting in the spawning of a malicious command as a child process of 'svchost.exe'. By tracking child processes of 'svchost.exe' that align with the LOLBAS project, potential lateral movement activity can be detected. The analytic examines process details, including the process name, parent process, and command-line executions. A comprehensive list of LOLBAS processes is included in the search parameters. Although the analytic might catch legitimate applications exhibiting this behavior, these instances should be filtered accordingly. The findings from this analytic offer valuable insight into potentially malicious activities on an endpoint. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -42335,7 +43025,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Svchost LOLBAS Execution Process Spawn - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -42358,7 +43048,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious dxdiag.exe process command-line execution. Dxdiag is used to collect the system info of the target host. This technique has been used by Remcos RATS, various actors, and other malware to collect information as part of the recon or collection phase of an attack. This behavior should rarely be seen in a corporate network, but this command line can be used by a network administrator to audit host machine specifications. Thus in some rare cases, this detection will contain false positives in its results. To triage further, analyze what commands were passed after it pipes out the result to a file for further processing. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1592"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious dxdiag.exe process command-line execution. Dxdiag is used to collect the system info of the target host. This technique has been used by Remcos RATS, various actors, and other malware to collect information as part of the recon or collection phase of an attack. This behavior should rarely be seen in a corporate network, but this command line can be used by a network administrator to audit host machine specifications. Thus in some rare cases, this detection will contain false positives in its results. To triage further, analyze what commands were passed after it pipes out the result to a file for further processing. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -42376,7 +43066,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - System Info Gathering Using Dxdiag Application - Rule -action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1592"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Remcos"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -42393,7 +43083,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = Detect system information discovery techniques used by attackers to understand configurations of the system to further exploit it. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1082"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Detect system information discovery techniques used by attackers to understand configurations of the system to further exploit it. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -42408,7 +43098,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["Discovery Techniques"] action.risk = 1 action.risk.param._risk_message = Potential system information discovery behavior on $dest$ by $user$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 15}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 15}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 15}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -42416,7 +43106,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - System Information Discovery Detection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Discovery Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1082"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Discovery Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -42441,7 +43131,7 @@ action.escu.enabled = 1 description = This search looks for system processes that typically execute from `C:\Windows\System32\` or `C:\Windows\SysWOW64`. This may indicate a malicious process that is trying to hide as a legitimate process.\ This detection utilizes a lookup that is deduped `system32` and `syswow64` directories from Server 2016 and Windows 10.\ During triage, review the parallel processes - what process moved the native Windows binary? identify any artifacts on disk and review. If a remote destination is contacted, what is the reputation? -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1036", "T1036.003"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for system processes that typically execute from `C:\Windows\System32\` or `C:\Windows\SysWOW64`. This may indicate a malicious process that is trying to hide as a legitimate process.\ This detection utilizes a lookup that is deduped `system32` and `syswow64` directories from Server 2016 and Windows 10.\ @@ -42466,7 +43156,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - System Processes Run From Unexpected Locations - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Command-Line Executions", "Unusual Processes", "Ransomware", "Masquerading - Rename System Utilities", "Qakbot", "Windows Error Reporting Service Elevation of Privilege Vulnerability", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "mitre_attack": ["T1036", "T1036.003"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Command-Line Executions", "Unusual Processes", "Ransomware", "Masquerading - Rename System Utilities", "Qakbot", "Windows Error Reporting Service Elevation of Privilege Vulnerability", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1036.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -42483,7 +43173,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `query.exe` with command-line arguments utilized to discover the logged user. Red Teams and adversaries alike may leverage `query.exe` to identify system users on a compromised endpoint for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `query.exe` with command-line arguments utilized to discover the logged user. Red Teams and adversaries alike may leverage `query.exe` to identify system users on a compromised endpoint for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -42501,7 +43191,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - System User Discovery With Query - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1033"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -42518,7 +43208,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `whoami.exe` without any arguments. This windows native binary prints out the current logged user. Red Teams and adversaries alike may leverage `whoami.exe` to identify system users on a compromised endpoint for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `whoami.exe` without any arguments. This windows native binary prints out the current logged user. Red Teams and adversaries alike may leverage `whoami.exe` to identify system users on a compromised endpoint for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -42536,7 +43226,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - System User Discovery With Whoami - Rule -action.correlationsearch.annotations = {"analytic_story": ["Winter Vivern", "Active Directory Discovery", "Rhysida Ransomware", "Qakbot", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1033"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Winter Vivern", "Active Directory Discovery", "Rhysida Ransomware", "Qakbot", "CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -42553,7 +43243,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious modification of time provider registry for persistence and autostart. This technique can allow the attacker to persist on the compromised host and autostart as soon as the machine boot up. This TTP can be a good indicator of suspicious behavior since this registry is not commonly modified by normal user or even an admin. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1547.003", "T1547"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.003", "T1547"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious modification of time provider registry for persistence and autostart. This technique can allow the attacker to persist on the compromised host and autostart as soon as the machine boot up. This TTP can be a good indicator of suspicious behavior since this registry is not commonly modified by normal user or even an admin. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 @@ -42576,7 +43266,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Time Provider Persistence Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Hermetic Wiper", "Windows Privilege Escalation", "Windows Persistence Techniques", "Windows Registry Abuse", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1547.003", "T1547"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Hermetic Wiper", "Windows Privilege Escalation", "Windows Persistence Techniques", "Windows Registry Abuse", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.003", "T1547"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -42599,7 +43289,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = this search is to detect potential trickbot infection through the create/connected named pipe to the system. This technique is used by trickbot to communicate to its c2 to post or get command during infection. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = this search is to detect potential trickbot infection through the create/connected named pipe to the system. This technique is used by trickbot to communicate to its c2 to post or get command during infection. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and pipename from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. . @@ -42622,7 +43312,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Trickbot Named Pipe - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trickbot"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Trickbot"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -42645,7 +43335,7 @@ search = `sysmon` EventCode IN (17,18) PipeName="\\pipe\\*lacesomepipe" | stats action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious loaded unsigned dll by MMC.exe application. This technique is commonly seen in attacker that tries to bypassed UAC feature or gain privilege escalation. This is done by modifying some CLSID registry that will trigger the mmc.exe to load the dll path -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1548.002", "T1548", "T1218.014"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548", "T1218.014"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a suspicious loaded unsigned dll by MMC.exe application. This technique is commonly seen in attacker that tries to bypassed UAC feature or gain privilege escalation. This is done by modifying some CLSID registry that will trigger the mmc.exe to load the dll path action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -42668,7 +43358,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - UAC Bypass MMC Load Unsigned Dll - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "mitre_attack": ["T1548.002", "T1548", "T1218.014"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548.002", "T1548", "T1218.014"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -42691,7 +43381,7 @@ search = `sysmon` EventCode=7 ImageLoaded = "*.dll" Image = "*\\mmc.exe" Signed action.escu = 0 action.escu.enabled = 1 description = This search is to detect a possible uac bypass using the colorui.dll COM Object. this technique was seen in so many malware and ransomware like lockbit where it make use of the colorui.dll COM CLSID to bypass UAC. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is to detect a possible uac bypass using the colorui.dll COM Object. this technique was seen in so many malware and ransomware like lockbit where it make use of the colorui.dll COM CLSID to bypass UAC. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -42714,7 +43404,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - UAC Bypass With Colorui COM Object - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "LockBit Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "LockBit Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -42737,7 +43427,7 @@ search = `sysmon` EventCode=7 ImageLoaded="*\\colorui.dll" process_name != "colo action.escu = 0 action.escu.enabled = 1 description = This search is to detect a suspicious un-installation of application using msiexec. This technique was seen in conti leak tool and script where it tries to uninstall AV product using this commandline. This commandline to uninstall product is not a common practice in enterprise network. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.007", "T1218"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007", "T1218"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is to detect a suspicious un-installation of application using msiexec. This technique was seen in conti leak tool and script where it tries to uninstall AV product using this commandline. This commandline to uninstall product is not a common practice in enterprise network. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -42760,7 +43450,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Uninstall App Using MsiExec - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "mitre_attack": ["T1218.007", "T1218"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.007", "T1218"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -42783,7 +43473,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a process performing an outbound connection on port 88 used by default by the network authentication protocol Kerberos. Typically, on a regular Windows endpoint, only the lsass.exe process is the one tasked with connecting to the Kerberos Distribution Center to obtain Kerberos tickets. Identifying an unknown process using this protocol may be evidence of an adversary abusing the Kerberos protocol. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1550"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint", "Network_Traffic"] action.escu.eli5 = The following analytic identifies a process performing an outbound connection on port 88 used by default by the network authentication protocol Kerberos. Typically, on a regular Windows endpoint, only the lsass.exe process is the one tasked with connecting to the Kerberos Distribution Center to obtain Kerberos tickets. Identifying an unknown process using this protocol may be evidence of an adversary abusing the Kerberos protocol. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -42806,7 +43496,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Unknown Process Using The Kerberos Protocol - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1550"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1550"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -42829,7 +43519,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = Attackers often disable security tools to avoid detection. This search looks for the usage of process `fltMC.exe` to unload a Sysmon Driver that will stop sysmon from collecting the data. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Attackers often disable security tools to avoid detection. This search looks for the usage of process `fltMC.exe` to unload a Sysmon Driver that will stop sysmon from collecting the data. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -42852,7 +43542,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Unload Sysmon Filter Driver - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Disabling Security Tools"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A", "Disabling Security Tools"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -42877,7 +43567,7 @@ action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies the behavior of AMSI being tampered with. Implemented natively in many frameworks, the command will look similar to `SEtValuE($Null,(New-OBJEct COLlECtionS.GenerIC.HAshSEt{[StrINg]))}$ReF=[ReF].AsSeMbLY.GeTTyPe("System.Management.Automation.Amsi"+"Utils")` taken from Powershell-Empire. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562", "T1059.001", "T1059"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1562", "T1059.001", "T1059"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \ This analytic identifies the behavior of AMSI being tampered with. Implemented natively in many frameworks, the command will look similar to `SEtValuE($Null,(New-OBJEct COLlECtionS.GenerIC.HAshSEt{[StrINg]))}$ReF=[ReF].AsSeMbLY.GeTTyPe("System.Management.Automation.Amsi"+"Utils")` taken from Powershell-Empire. \ @@ -42902,7 +43592,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Unloading AMSI via Reflection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1562", "T1059.001", "T1059"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1562", "T1059.001", "T1059"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -42927,7 +43617,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = *system.management.automa action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following hunting analytic leverages Event ID 4769, `A Kerberos service ticket was requested`, to identify an unusual number of computer service ticket requests from one source. When a domain joined endpoint connects to a remote endpoint, it first will request a Kerberos Ticket with the computer name as the Service Name. An endpoint requesting a large number of computer service tickets for different endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc. The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of service requests. To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation. This logic can be used for real time security monitoring as well as threat hunting exercises. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following hunting analytic leverages Event ID 4769, `A Kerberos service ticket was requested`, to identify an unusual number of computer service ticket requests from one source. When a domain joined endpoint connects to a remote endpoint, it first will request a Kerberos Ticket with the computer name as the Service Name. An endpoint requesting a large number of computer service tickets for different endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc. The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of service requests. To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation. This logic can be used for real time security monitoring as well as threat hunting exercises. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. @@ -42945,7 +43635,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Unusual Number of Computer Service Tickets Requested - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -42963,7 +43653,7 @@ action.escu = 0 action.escu.enabled = 1 description = The following hunting analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain.\ The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number service ticket requests. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following hunting analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain.\ The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number service ticket requests. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. @@ -42987,7 +43677,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Unusual Number of Kerberos Service Tickets Requested - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558", "T1558.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -43004,7 +43694,7 @@ search = `wineventlog_security` EventCode=4769 Service_Name!="*$" Ticket_Encryp action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following hunting analytic leverages Event ID 4624, `An account was successfully logged on`, to identify an unusual number of remote authentication attempts coming from one source. An endpoint authenticating to a large number of remote endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc. The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual high number of authentication events.To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation.This logic can be used for real time security monitoring as well as threat hunting exercises. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following hunting analytic leverages Event ID 4624, `An account was successfully logged on`, to identify an unusual number of remote authentication attempts coming from one source. An endpoint authenticating to a large number of remote endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc. The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual high number of authentication events.To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation.This logic can be used for real time security monitoring as well as threat hunting exercises. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. @@ -43022,7 +43712,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Unusual Number of Remote Endpoint Authentication Events - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "mitre_attack": ["T1078"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -43119,7 +43809,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic looks for the execution of `powershell.exe` with command-line arguments that leverage PowerShell environment variables to identify the current logged user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `powershell.exe` with command-line arguments that leverage PowerShell environment variables to identify the current logged user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -43137,7 +43827,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - User Discovery With Env Vars PowerShell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1033"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -43154,7 +43844,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the use of PowerShell environment variables to identify the current logged user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the use of PowerShell environment variables to identify the current logged user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -43172,7 +43862,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - User Discovery With Env Vars PowerShell Script Block - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1033"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1033"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -43189,7 +43879,7 @@ search = `powershell` EventCode=4104 (ScriptBlockText = "*$env:UserName*" OR Scr action.escu = 0 action.escu.enabled = 1 description = The fsutil.exe application is a legitimate Windows utility used to perform tasks related to the file allocation table (FAT) and NTFS file systems. The update sequence number (USN) change journal provides a log of all changes made to the files on the disk. This search looks for fsutil.exe deleting the USN journal. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The fsutil.exe application is a legitimate Windows utility used to perform tasks related to the file allocation table (FAT) and NTFS file systems. The update sequence number (USN) change journal provides a log of all changes made to the files on the disk. This search looks for fsutil.exe deleting the USN journal. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -43212,7 +43902,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - USN Journal Deletion - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Log Manipulation", "Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "mitre_attack": ["T1070"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Log Manipulation", "Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1070"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -43235,7 +43925,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a suspicious wscript commandline to execute vbscript. This technique was seen in several malware to execute malicious vbs file using wscript application. commonly vbs script is associated to cscript process and this can be a technique to evade process parent child detections or even some av script emulation system. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a suspicious wscript commandline to execute vbscript. This technique was seen in several malware to execute malicious vbs file using wscript application. commonly vbs script is associated to cscript process and this can be a technique to evade process parent child detections or even some av script emulation system. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -43258,7 +43948,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Vbscript Execution Using Wscript App - Rule -action.correlationsearch.annotations = {"analytic_story": ["FIN7", "Remcos", "AsyncRAT"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["FIN7", "Remcos", "AsyncRAT"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.005", "T1059"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -43281,7 +43971,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is to detect a possible abuse of verclsid to execute malicious file through generate CLSID. This process is a normal application of windows to verify the CLSID COM object before it is instantiated by Windows Explorer. This hunting query can be a good pivot point to analyze what is he CLSID or COM object pointing too to check if it is a valid application or not. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218.012", "T1218"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.012", "T1218"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is to detect a possible abuse of verclsid to execute malicious file through generate CLSID. This process is a normal application of windows to verify the CLSID COM object before it is instantiated by Windows Explorer. This hunting query can be a good pivot point to analyze what is he CLSID or COM object pointing too to check if it is a valid application or not. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -43299,7 +43989,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Verclsid CLSID Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Unusual Processes"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1218.012", "T1218"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Unusual Processes"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218.012", "T1218"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -43316,7 +44006,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as action.escu = 0 action.escu.enabled = 1 description = This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1505", "T1505.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -43339,7 +44029,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - W3WP Spawning Shell - Rule -action.correlationsearch.annotations = {"analytic_story": ["ProxyNotShell", "Data Destruction", "ProxyShell", "Hermetic Wiper", "CISA AA22-257A", "HAFNIUM Group", "BlackByte Ransomware", "CISA AA22-264A", "Flax Typhoon", "WS FTP Server Critical Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2021-34473", "CVE-2021-34523", "CVE-2021-31207"], "impact": 70, "mitre_attack": ["T1505", "T1505.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["ProxyNotShell", "Data Destruction", "ProxyShell", "Hermetic Wiper", "CISA AA22-257A", "HAFNIUM Group", "BlackByte Ransomware", "CISA AA22-264A", "Flax Typhoon", "WS FTP Server Critical Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 80, "cve": ["CVE-2021-34473", "CVE-2021-34523", "CVE-2021-31207"], "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505", "T1505.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -43362,7 +44052,7 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces action.escu = 0 action.escu.enabled = 1 description = This search looks for flags passed to wbadmin.exe (Windows Backup Administrator Tool) that delete backup files. This is typically used by ransomware to prevent recovery. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for flags passed to wbadmin.exe (Windows Backup Administrator Tool) that delete backup files. This is typically used by ransomware to prevent recovery. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -43385,7 +44075,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - WBAdmin Delete System Backups - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ryuk Ransomware", "Ransomware", "Prestige Ransomware", "Chaos Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1490"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ryuk Ransomware", "Ransomware", "Prestige Ransomware", "Chaos Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1490"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -43408,7 +44098,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a potential suspicious process loading a COM object from wbemprox.dll or faskprox.dll. The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. This feature is being abused by several threat actors, adversaries or even red teamers to gain privilege escalation or even to evade detections. This TTP is a good indicator that a process is loading possible known .dll modules that were known for its COM object. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a potential suspicious process loading a COM object from wbemprox.dll or faskprox.dll. The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. This feature is being abused by several threat actors, adversaries or even red teamers to gain privilege escalation or even to evade detections. This TTP is a good indicator that a process is loading possible known .dll modules that were known for its COM object. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -43431,7 +44121,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Wbemprox COM Object Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware", "LockBit Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Revil Ransomware", "LockBit Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -43454,7 +44144,7 @@ search = `sysmon` EventCode=7 ImageLoaded IN ("*\\fastprox.dll", "*\\wbemprox.d action.escu = 0 action.escu.enabled = 1 description = This search is designed to detect suspicious wermgr.exe process that tries to connect to known IP web services. This technique is know for trickbot and other trojan spy malware to recon the infected machine and look for its ip address without so much finger print on the commandline process. Since wermgr.exe is designed for error handling process of windows it is really suspicious that this process is trying to connect to this IP web services cause that maybe cause of some malicious code injection. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1590", "T1590.005"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1590", "T1590.005"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This search is designed to detect suspicious wermgr.exe process that tries to connect to known IP web services. This technique is know for trickbot and other trojan spy malware to recon the infected machine and look for its ip address without so much finger print on the commandline process. Since wermgr.exe is designed for error handling process of windows it is really suspicious that this process is trying to connect to this IP web services cause that maybe cause of some malicious code injection. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA. @@ -43477,7 +44167,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Wermgr Process Connecting To IP Check Web Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trickbot"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1590", "T1590.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Trickbot"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1590", "T1590.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -43500,7 +44190,7 @@ search = `sysmon` EventCode =22 process_name = wermgr.exe QueryName IN ("*wtfism action.escu = 0 action.escu.enabled = 1 description = this search is designed to detect potential malicious wermgr.exe process that drops or create executable file. Since wermgr.exe is an application trigger when error encountered in a process, it is really un ussual to this process to drop executable file. This technique is commonly seen in trickbot malware where it injects it code to this process to execute it malicious behavior like downloading other payload -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1027"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = this search is designed to detect potential malicious wermgr.exe process that drops or create executable file. Since wermgr.exe is an application trigger when error encountered in a process, it is really un ussual to this process to drop executable file. This technique is commonly seen in trickbot malware where it injects it code to this process to execute it malicious behavior like downloading other payload action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used. @@ -43523,7 +44213,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Wermgr Process Create Executable File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trickbot"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1027"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Trickbot"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -43546,7 +44236,7 @@ search = `sysmon` EventCode=11 process_name = "wermgr.exe" TargetFilename = "*.e action.escu = 0 action.escu.enabled = 1 description = This search is designed to detect suspicious cmd and powershell process spawned by wermgr.exe process. This suspicious behavior are commonly seen in code injection technique technique like trickbot to execute a shellcode, dll modules to run malicious behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search is designed to detect suspicious cmd and powershell process spawned by wermgr.exe process. This suspicious behavior are commonly seen in code injection technique technique like trickbot to execute a shellcode, dll modules to run malicious behavior. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -43569,7 +44259,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trickbot", "Qakbot"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1059"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Trickbot", "Qakbot"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -43592,7 +44282,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -43615,7 +44305,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Wget Download and Bash Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer", "Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-44228"], "impact": 80, "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer", "Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-44228"], "impact": 80, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -43638,7 +44328,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, internet via secure tunneling,instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1102"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1102"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, internet via secure tunneling,instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network. action.escu.how_to_implement = This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days. @@ -43661,7 +44351,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Abused Web Services - Rule -action.correlationsearch.annotations = {"analytic_story": ["NjRAT"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1102"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["NjRAT"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1102"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -43684,7 +44374,7 @@ search = `sysmon` EventCode=22 QueryName IN ("*pastebin*",""*textbin*"", "*ngrok action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a suspicious process enabling the "SeDebugPrivilege" privilege token. SeDebugPrivilege allows a process to inspect and adjust the memory of other processes, and has long been a security concern. SeDebugPrivilege allows the token bearer to access any process or thread, regardless of security descriptors, per Palantir. This technique is abused by adversaries to gain debug privileges with their malicious software to be able to access or debug a process to dump credentials or to inject malicious code. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1134.002", "T1134"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.002", "T1134"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a suspicious process enabling the "SeDebugPrivilege" privilege token. SeDebugPrivilege allows a process to inspect and adjust the memory of other processes, and has long been a security concern. SeDebugPrivilege allows the token bearer to access any process or thread, regardless of security descriptors, per Palantir. This technique is abused by adversaries to gain debug privileges with their malicious software to be able to access or debug a process to dump credentials or to inject malicious code. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4703 EventCode enabled. The Windows TA is also required. @@ -43707,7 +44397,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule -action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4", "AsyncRAT", "DarkGate Malware", "CISA AA23-347A", "PlugX"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1134.002", "T1134"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4", "AsyncRAT", "DarkGate Malware", "CISA AA23-347A", "PlugX"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.002", "T1134"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -43724,7 +44414,7 @@ search = `wineventlog_security` EventCode=4703 EnabledPrivilegeList = "*SeDebugP action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a process requesting access to winlogon.exe attempting to duplicate its handle. This technique was seen in several adversaries to gain privileges for their process. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1134.001", "T1134"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.001", "T1134"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a process requesting access to winlogon.exe attempting to duplicate its handle. This technique was seen in several adversaries to gain privileges for their process. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens. action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -43742,7 +44432,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Access Token Manipulation Winlogon Duplicate Token Handle - Rule -action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1134.001", "T1134"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.001", "T1134"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -43759,7 +44449,7 @@ search = `sysmon` EventCode=10 TargetImage IN("*\\system32\\winlogon.exe*", "*\\ action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a process requesting access in winlogon.exe to duplicate its handle with a non-common or public process source path. This technique was seen where adversaries attempt to gain privileges to their process. This duplicate handle access technique, may refer to a malicious process duplicating the process token of winlogon.exe and using it to a new process instance. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1134.001", "T1134"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.001", "T1134"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a process requesting access in winlogon.exe to duplicate its handle with a non-common or public process source path. This technique was seen where adversaries attempt to gain privileges to their process. This duplicate handle access technique, may refer to a malicious process duplicating the process token of winlogon.exe and using it to a new process instance. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens. action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -43782,7 +44472,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Access Token Winlogon Duplicate Handle In Uncommon Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1134.001", "T1134"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.001", "T1134"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -43798,10 +44488,10 @@ search = `sysmon` EventCode=10 TargetImage IN("*\\system32\\winlogon.exe*", "*\ [ESCU - Windows Account Discovery for None Disable User Account - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. In the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user accounts that are not disabled. This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087"], "nist": ["DE.AE"]} +description = The following analytic utilizes PowerShell Script Block Logging to identify the execution of the PowerView PowerShell commandlet Get-NetUser. In the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user accounts that are not disabled. The full script block text based on the CISA-23-347A advisory is "Get-NetUser -UACFilter NOT_ACCOUNTDISABLE". Utilize this query to identify potential suspicious activity of user account enumeration. +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} action.escu.data_models = [] -action.escu.eli5 = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. In the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user accounts that are not disabled. This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system. +action.escu.eli5 = The following analytic utilizes PowerShell Script Block Logging to identify the execution of the PowerView PowerShell commandlet Get-NetUser. In the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user accounts that are not disabled. The full script block text based on the CISA-23-347A advisory is "Get-NetUser -UACFilter NOT_ACCOUNTDISABLE". Utilize this query to identify potential suspicious activity of user account enumeration. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= action.escu.known_false_positives = Administrators may leverage PowerView for legitimate purposes, filter as needed. action.escu.creation_date = 2023-12-15 @@ -43817,7 +44507,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Account Discovery for None Disable User Account - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1087"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -43834,7 +44524,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBl action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. In the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user account's "samccountname". This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. In the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user account's "samccountname". This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= @@ -43857,7 +44547,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Account Discovery for Sam Account Name - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1087"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -43874,7 +44564,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBl action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. This technique was observed in the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user accounts that do not require preauthentication for Kerberos. This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. This technique was observed in the context of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory user accounts that do not require preauthentication for Kerberos. This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= @@ -43892,7 +44582,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Account Discovery With NetUser PreauthNotRequire - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "mitre_attack": ["T1087"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["CISA AA23-347A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -43909,7 +44599,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBl action.escu = 0 action.escu.enabled = 1 description = Windows Active Directory contains numerous objects. A statistically significant increase in access to these objects may be evidence of attacker enumeration of Active Directory. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = Windows Active Directory contains numerous objects. A statistically significant increase in access to these objects may be evidence of attacker enumeration of Active Directory. action.escu.how_to_implement = Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA. Recommend pre-filtering any known service accounts that frequently query AD to make detection more accurate. Setting wide search window of 48~72hr may smooth out misfires. @@ -43932,7 +44622,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Abnormal Object Access Activity - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -43949,7 +44639,7 @@ search = `wineventlog_security` EventCode=4662 | stats min(_time) AS firstTime, action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the modification of the Access Control List for the AdminSDHolder object within a Windows domain. Specifically, the detection triggers on the addition of a new rule to the existing ACL. AdminSDHolder is an object located in the System Partition in Active Directory and is used as a security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that dont match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder. An adversary who has obtained privileged access to a Windows Domain may modify the AdminSDHolder ACL to establish persistence and allow an unprivileged user to take control of a domain. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1546"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the modification of the Access Control List for the AdminSDHolder object within a Windows domain. Specifically, the detection triggers on the addition of a new rule to the existing ACL. AdminSDHolder is an object located in the System Partition in Active Directory and is used as a security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that dont match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder. An adversary who has obtained privileged access to a Windows Domain may modify the AdminSDHolder ACL to establish persistence and allow an unprivileged user to take control of a domain. action.escu.how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for the AdminSDHolder object in order to log modifications. @@ -43964,7 +44654,7 @@ action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = The AdminSDHolder domain object has been modified on $Computer$ by $SubjectUserName$ -action.risk.param._risk = [{"risk_object_field": "SubjectUserName", "risk_object_type": "user", "risk_score": 56}, {"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 56}] +action.risk.param._risk = [{"risk_object_field": "SubjectUserName", "risk_object_type": "other", "risk_score": 56}, {"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -43972,7 +44662,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD AdminSDHolder ACL Modified - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "mitre_attack": ["T1546"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -43995,7 +44685,7 @@ search = `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=nTSecur action.escu = 0 action.escu.enabled = 1 description = The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects within different domains. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries for inter-domain privilege escalation and persistence. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects within different domains. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries for inter-domain privilege escalation and persistence. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit User Account Management` and `Audit Computer Account Management` within `Account Management` all need to be enabled. @@ -44018,7 +44708,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Cross Domain SID History Addition - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -44041,7 +44731,7 @@ search = `wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistor action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the disabling of audit policies on a domain controller. The detection is made by identifying changes made to audit policies and checks for the removal of success or failure auditing, which are common indicators of policy tampering. The detection is important because it indicates that an attacker has gained access to the domain controller and is attempting to evade detection and cover up malicious activity. The impact of such an attack can be severe, including data theft, privilege escalation, and compromise of the entire network. False positives might occur since legitimate changes to audit policies might also trigger the analytic. Upon triage, review the audit policy change event and investigate the source of the change. Additionally, you must capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the attack source." -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1562.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] action.escu.eli5 = The following analytic detects the disabling of audit policies on a domain controller. The detection is made by identifying changes made to audit policies and checks for the removal of success or failure auditing, which are common indicators of policy tampering. The detection is important because it indicates that an attacker has gained access to the domain controller and is attempting to evade detection and cover up malicious activity. The impact of such an attack can be severe, including data theft, privilege escalation, and compromise of the entire network. False positives might occur since legitimate changes to audit policies might also trigger the analytic. Upon triage, review the audit policy change event and investigate the source of the change. Additionally, you must capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the attack source." action.escu.how_to_implement = Ensure you are ingesting EventCode `4719` from your domain controllers, the category domain_controller exists in assets and identities, and that assets and identities is enabled. If A&I is not configured, you will need to manually filter the results within the base search. @@ -44064,7 +44754,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Domain Controller Audit Policy Disabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 100, "mitre_attack": ["T1562.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -44087,7 +44777,7 @@ search = `wineventlog_security` EventCode=4719 (AuditPolicyChanges IN ("%%8448", action.escu = 0 action.escu.enabled = 1 description = This analytic identifies a genuine DC promotion event. Identifying when a computer assigns itself the necessary SPNs to function as a domain controller. Note these events are triggered on the existing domain controllers, not the newly joined domain controller. This detection will serve to identify rogue DCs added to the network. There are 2x detections within this analytic story which identify DCShadow attacks, if you do not currently possess the logging for these detections, remove the where clause within this detection to identify DCShadow activity. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies a genuine DC promotion event. Identifying when a computer assigns itself the necessary SPNs to function as a domain controller. Note these events are triggered on the existing domain controllers, not the newly joined domain controller. This detection will serve to identify rogue DCs added to the network. There are 2x detections within this analytic story which identify DCShadow attacks, if you do not currently possess the logging for these detections, remove the where clause within this detection to identify DCShadow activity. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting eventcode `4742`. The Advanced Security Audit policy setting `Audit Computer Account Management` within `Account Management` needs to be enabled. @@ -44102,7 +44792,7 @@ action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = AD Domain Controller Promotion Event Detected for $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "other", "risk_score": 80}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -44110,7 +44800,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Domain Controller Promotion - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1207"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -44133,7 +44823,7 @@ search = `wineventlog_security` EventCode=4742 ServicePrincipalNames IN ("*E3514 action.escu = 0 action.escu.enabled = 1 description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. The following analytic detects the addition of the permissions necessary to perform a DCSync attack. In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain. - DS-Replication-Get-Changes - DS-Replication-Get-Changes-All Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1484"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] action.escu.eli5 = The following analytic detects the addition of the permissions necessary to perform a DCSync attack. In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain. - DS-Replication-Get-Changes - DS-Replication-Get-Changes-All Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting the eventcode 5136. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects. Once the necessary logging has been enabled, enumerate the domain policy to verify if existing accounts with access need to be whitelisted, or revoked. Assets and Identities is also leveraged to automatically translate the objectSid into username. Ensure your identities lookup is configured with the sAMAccountName and objectSid of all AD user and computer objects. @@ -44156,7 +44846,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Experimental - Windows AD Domain Replication ACL Addition - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "mitre_attack": ["T1484"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -44179,7 +44869,7 @@ search = `wineventlog_security` | rex field=AttributeValue max_match=10000 \"OA action.escu = 0 action.escu.enabled = 1 description = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for alterations to the behaviour of the account via registry. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for alterations to the behaviour of the account via registry. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -44202,7 +44892,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD DSRM Account Changes - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Windows Registry Abuse", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Windows Registry Abuse", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -44225,7 +44915,7 @@ search = | tstats `security_content_summariesonly` min(_time) as _time from data action.escu = 0 action.escu.enabled = 1 description = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for any password reset attempts against that account. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] action.escu.eli5 = Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for any password reset attempts against that account. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting eventcode `4794` and have the Advanced Security Audit policy `Audit User Account Management` within `Account Management` enabled. @@ -44248,7 +44938,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD DSRM Password Reset - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -44271,7 +44961,7 @@ search = | tstats `security_content_summariesonly` min(_time) as _time from data action.escu = 0 action.escu.enabled = 1 description = This detection identifies when the SID of a privileged user is added to the SID History attribute of another user. Useful for tracking SID history abuse across multiple domains. This detection leverages the Asset and Identities framework. See the implementation section for further details on configuration. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This detection identifies when the SID of a privileged user is added to the SID History attribute of another user. Useful for tracking SID history abuse across multiple domains. This detection leverages the Asset and Identities framework. See the implementation section for further details on configuration. action.escu.how_to_implement = Ensure you have objectSid and the Down Level Logon Name `DOMAIN\sAMACountName` added to the identity field of your Asset and Identities lookup, along with the category of privileged for the applicable users. Ensure you are ingesting eventcodes 4742 and 4738. Two advanced audit policies `Audit User Account Management` and `Audit Computer Account Management` under `Account Management` are required to generate these event codes. @@ -44294,7 +44984,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Privileged Account SID History Addition - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -44317,7 +45007,7 @@ search = `wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistor action.escu = 0 action.escu.enabled = 1 description = Windows Active Directory contains numerous objects that grant elevated access to the domain they reside in. These objects should be rarely accessed by normal users or processes. Access attempts to one or more of these objects may be evidence of attacker enumeration of Active Directory. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = Windows Active Directory contains numerous objects that grant elevated access to the domain they reside in. These objects should be rarely accessed by normal users or processes. Access attempts to one or more of these objects may be evidence of attacker enumeration of Active Directory. action.escu.how_to_implement = Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA. @@ -44332,7 +45022,7 @@ action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Discovery"] action.risk = 1 action.risk.param._risk_message = The account $user$ accessed $object_count$ privileged AD object(s). -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"threat_object_field": "object_name", "threat_object_type": "other"}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 40}, {"risk_object_field": "object_name", "risk_object_type": "other", "risk_score": 40}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -44340,7 +45030,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Privileged Object Access Activity - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087", "T1087.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -44363,13 +45053,13 @@ search = `wineventlog_security` EventCode=4662 ObjectName IN ( "CN=Account Opera action.escu = 0 action.escu.enabled = 1 description = This alert was written to detect activity associated with the DCSync attack. When a domain controller receives a replication request, the user account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a user account creates a handle to domainDNS with the necessary replication permissions. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.006", "T1003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.006", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Authentication", "Change"] action.escu.eli5 = This alert was written to detect activity associated with the DCSync attack. When a domain controller receives a replication request, the user account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a user account creates a handle to domainDNS with the necessary replication permissions. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services Access` within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes In Filtered Set` action.escu.known_false_positives = Azure AD Connect syncing operations. -action.escu.creation_date = 2022-09-08 -action.escu.modification_date = 2022-09-08 +action.escu.creation_date = 2024-01-05 +action.escu.modification_date = 2024-01-05 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AD Replication Request Initiated by User Account - Rule action.escu.search_type = detection @@ -44378,7 +45068,7 @@ action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks", "Credential Dumping"] action.risk = 1 action.risk.param._risk_message = Windows Active Directory Replication Request Initiated by User Account $user$ at $src_ip$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 100}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 100}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -44386,7 +45076,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Replication Request Initiated by User Account - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Credential Dumping"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "mitre_attack": ["T1003.006", "T1003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Credential Dumping"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.006", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -44409,13 +45099,13 @@ search = `wineventlog_security` EventCode=4662 ObjectType IN ("%{19195a5b-6da0-1 action.escu = 0 action.escu.enabled = 1 description = This alert was written to detect activity associated with the DCSync attack performed by computer accounts. When a domain controller receives a replication request, the account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a computer account account creates a handle to domainDNS with the necessary replication permissions. These requests are then filtered to exclude where the events originate from a known domain controller IP address. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.006", "T1003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.006", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Authentication", "Change"] action.escu.eli5 = This alert was written to detect activity associated with the DCSync attack performed by computer accounts. When a domain controller receives a replication request, the account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a computer account account creates a handle to domainDNS with the necessary replication permissions. These requests are then filtered to exclude where the events originate from a known domain controller IP address. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services Access` within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes In Filtered Set` Assets and Identities will also need to be configured, with the category of domain_controller added for domain controllers. action.escu.known_false_positives = Genuine DC promotion may trigger this alert. -action.escu.creation_date = 2023-11-07 -action.escu.modification_date = 2023-11-07 +action.escu.creation_date = 2024-01-05 +action.escu.modification_date = 2024-01-05 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule action.escu.search_type = detection @@ -44424,7 +45114,7 @@ action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks", "Credential Dumping"] action.risk = 1 action.risk.param._risk_message = Windows Active Directory Replication Request Initiated from Unsanctioned Location $src_ip$ by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}, {"risk_object_field": "src_ip", "risk_object_type": "system", "risk_score": 100}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 100}, {"risk_object_field": "src_ip", "risk_object_type": "other", "risk_score": 100}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -44432,7 +45122,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Credential Dumping"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "mitre_attack": ["T1003.006", "T1003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Credential Dumping"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.006", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -44455,7 +45145,7 @@ search = `wineventlog_security` EventCode=4662 ObjectType IN ("%{19195a5b-6da0-1 action.escu = 0 action.escu.enabled = 1 description = The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects which exist within the same domain. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. This analytic was written to pick up on activity via Mimikatz sid::patch. Please note there are additional avenues to abuse SID history such as DCShadow & Golden / Diamond tickets which won't be detected using these event codes. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects which exist within the same domain. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. This analytic was written to pick up on activity via Mimikatz sid::patch. Please note there are additional avenues to abuse SID history such as DCShadow & Golden / Diamond tickets which won't be detected using these event codes. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit User Account Management` and `Audit Computer Account Management` within `Account Management` all need to be enabled. SID resolution is not required.. @@ -44478,7 +45168,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Same Domain SID History Addition - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134.005", "T1134"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -44501,7 +45191,7 @@ search = `wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistor action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the addition of a Service Principal Name to a domain account. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Servce Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the addition of a Service Principal Name to a domain account. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Servce Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. action.escu.how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. @@ -44516,7 +45206,7 @@ action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = A Servince Principal Name for $ObjectDN$ was set by $user$ -action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 30}, {"risk_object_field": "ObjectDN", "risk_object_type": "user", "risk_score": 30}] +action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "other", "risk_score": 30}, {"risk_object_field": "ObjectDN", "risk_object_type": "user", "risk_score": 30}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -44524,7 +45214,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD ServicePrincipalName Added To Domain Account - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -44547,7 +45237,7 @@ search = `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=service action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the addition of a Service Principal Name to a domain account that is quickly deleted within 5 minutes or less. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Service Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. To clean things up, the adversary may delete the SPN which will trigger this detection. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the addition of a Service Principal Name to a domain account that is quickly deleted within 5 minutes or less. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Service Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. To clean things up, the adversary may delete the SPN which will trigger this detection. action.escu.how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. @@ -44570,7 +45260,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Short Lived Domain Account ServicePrincipalName - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "mitre_attack": ["T1098"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1098"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -44593,7 +45283,7 @@ search = `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=service action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies when either a global catalog SPN or a DRS RPC SPN are temporarily added to an Active Directory computer object, both of which can be evidence of a DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes into the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. No event logs are written for changes to AD attributes, allowing for stealthy backdoors to be implanted in the domain, or metadata such as timestamps overwritten to cover tracks. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies when either a global catalog SPN or a DRS RPC SPN are temporarily added to an Active Directory computer object, both of which can be evidence of a DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes into the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. No event logs are written for changes to AD attributes, allowing for stealthy backdoors to be implanted in the domain, or metadata such as timestamps overwritten to cover tracks. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects. @@ -44616,7 +45306,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Short Lived Domain Controller SPN Attribute - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "mitre_attack": ["T1207"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -44639,7 +45329,7 @@ search = `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=serviceP action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a change in an Active Directory environment that could represent evidence of the DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes in the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. Specifically, the detection will trigger when a possible rogue Domain Controller computer object is created and quickly deleted within 30 seconds or less in an Active Directory domain. This behavior was identfied by simulating the DCShadow attack with Mimikatz. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a change in an Active Directory environment that could represent evidence of the DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes in the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. Specifically, the detection will trigger when a possible rogue Domain Controller computer object is created and quickly deleted within 30 seconds or less in an Active Directory domain. This behavior was identfied by simulating the DCShadow attack with Mimikatz. action.escu.how_to_implement = To successfully implement this search, you ned to be ingesting Event codes `5137` and `5141`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. For these event codes to be generated, specific SACLs are required. @@ -44654,7 +45344,7 @@ action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = Potential DCShadow Attack Detected on $Computer$ -action.risk.param._risk = [{"risk_object_field": "SubjectUserName", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 64}] +action.risk.param._risk = [{"risk_object_field": "SubjectUserName", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 64}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -44662,7 +45352,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD Short Lived Server Object - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1207"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1207"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -44685,7 +45375,7 @@ search = `wineventlog_security` EventCode=5137 OR EventCode=5141 ObjectDN="*CN= action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages event code `5136` to identify a modification of the SID History AD attribute. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1134", "T1134.005"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134", "T1134.005"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic leverages event code `5136` to identify a modification of the SID History AD attribute. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. action.escu.how_to_implement = To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications. @@ -44700,7 +45390,7 @@ action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = SID History AD attribute modified by $SubjectUserName$ for $ObjectDN$ -action.risk.param._risk = [{"risk_object_field": "SubjectUserName", "risk_object_type": "user", "risk_score": 56}] +action.risk.param._risk = [{"risk_object_field": "SubjectUserName", "risk_object_type": "other", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -44708,7 +45398,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AD SID History Attribute Modified - Rule -action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "mitre_attack": ["T1134", "T1134.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134", "T1134.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -44731,7 +45421,7 @@ search = `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=sIDHist action.escu = 0 action.escu.enabled = 1 description = This search looks for the execution of `adfind.exe` with command-line arguments that it uses by default specifically the filter or search functions. It also considers the arguments necessary like objectcategory, see readme for more details: https://www.joeware.net/freetools/tools/adfind/usage.htm. AdFind.exe is a powerful tool that is commonly used for querying and retrieving information from Active Directory (AD). While it is primarily designed for AD administration and management, it has been seen used before by Wizard Spider, FIN6 and actors whom also launched SUNBURST. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for the execution of `adfind.exe` with command-line arguments that it uses by default specifically the filter or search functions. It also considers the arguments necessary like objectcategory, see readme for more details: https://www.joeware.net/freetools/tools/adfind/usage.htm. AdFind.exe is a powerful tool that is commonly used for querying and retrieving information from Active Directory (AD). While it is primarily designed for AD administration and management, it has been seen used before by Wizard Spider, FIN6 and actors whom also launched SUNBURST. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -44754,7 +45444,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AdFind Exe - Rule -action.correlationsearch.annotations = {"analytic_story": ["Domain Trust Discovery", "IcedID", "NOBELIUM Group", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Domain Trust Discovery", "IcedID", "NOBELIUM Group", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -44777,7 +45467,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is developed to identify suspicious file creation in the root drive (C:\). This tactic was observed in NjRAT as a means to ascertain whether its malware instance running on the compromised host possesses administrative privileges. The methodology involves an attempt to create a 'win.dat' file in the C:\ directory. If this file is successfully created, it serves as an indicator that the process indeed holds administrative privileges. This anomaly detection mechanism serves as a valuable pivot point for detecting NjRAT and other malware strains employing similar techniques to assess the privileges of their running malware instances, without using token privilege API calls or PowerShell commandlets. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1069.001"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069.001"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is developed to identify suspicious file creation in the root drive (C:\). This tactic was observed in NjRAT as a means to ascertain whether its malware instance running on the compromised host possesses administrative privileges. The methodology involves an attempt to create a 'win.dat' file in the C:\ directory. If this file is successfully created, it serves as an indicator that the process indeed holds administrative privileges. This anomaly detection mechanism serves as a valuable pivot point for detecting NjRAT and other malware strains employing similar techniques to assess the privileges of their running malware instances, without using token privilege API calls or PowerShell commandlets. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. @@ -44792,7 +45482,7 @@ action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Bla action.escu.analytic_story = ["NjRAT"] action.risk = 1 action.risk.param._risk_message = A file was created in root drive C:/ on host - $dest$ -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"threat_object_field": "file_name", "threat_object_type": "file name"}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -44800,7 +45490,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Admin Permission Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["NjRAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1069.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["NjRAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -44817,7 +45507,7 @@ search = |tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages Event IDs 5140 or 5145 to identify a source computer accessing windows administrative shares (C$, Admin$ and IPC$ ) across a large number remote endpoints. Specifically, the logic will trigger when a source endpoint accesses administrative shares across 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is enumerating network shares across an Active Directory environment in the search for sensitive files, a common technique leveraged by red teamers and threat actors. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1135"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1135"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic leverages Event IDs 5140 or 5145 to identify a source computer accessing windows administrative shares (C$, Admin$ and IPC$ ) across a large number remote endpoints. Specifically, the logic will trigger when a source endpoint accesses administrative shares across 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is enumerating network shares across an Active Directory environment in the search for sensitive files, a common technique leveraged by red teamers and threat actors. As environments differ across organizations, security teams should customize the thresholds of this detection as needed. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting file share events. The Advanced Security Audit policy setting `Audit Detailed File Share` or `Audit File Share` within `Object Access` need to be enabled. @@ -44832,7 +45522,7 @@ action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Privilege Escalation", "Active Directory Lateral Movement"] action.risk = 1 action.risk.param._risk_message = $IpAddress$ accessed the IPC share on more than 30 endpoints in a timespan of 5 minutes. -action.risk.param._risk = [{"risk_object_field": "host_targets", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "IpAddress", "risk_object_type": "system", "risk_score": 56}] +action.risk.param._risk = [{"risk_object_field": "host_targets", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "IpAddress", "risk_object_type": "other", "risk_score": 56}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -44840,7 +45530,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "mitre_attack": ["T1135"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1135"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -44863,7 +45553,7 @@ search = `wineventlog_security` EventCode=5140 OR EventCode=5145 (ShareName="\\ action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages Splunks Admon to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic leverages Splunks Admon to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs. action.escu.how_to_implement = To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory @@ -44886,7 +45576,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Admon Default Group Policy Object Modified - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -44909,7 +45599,7 @@ search = `admon` admonEventType=Update objectCategory="CN=Group-Policy-Containe action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages Splunks Admon to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. Security teams should monitor the creation of new Group Policy Objects. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic leverages Splunks Admon to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. Security teams should monitor the creation of new Group Policy Objects. action.escu.how_to_implement = To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory @@ -44932,7 +45622,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Admon Group Policy Object Created - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -44954,14 +45644,14 @@ search = `admon` admonEventType=Update objectCategory="CN=Group-Policy-Containe [ESCU - Windows Alternate DataStream - Base64 Content - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic detects when an uninterrupted string of base64 characters is written to the contents of an NTFS file system alternate data stream. This behavior could indicate a threat actor staging malicious code within difficult to detect areas of the file system for later use or persistence. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1564", "T1564.004"], "nist": ["DE.CM"]} +description = This analytic leverages Sysmon Event ID 15, a critical file creation event, to detect the creation of Alternate Data Streams (ADS) on Windows systems. ADS is a feature of the NTFS file system that allows the storage of data in hidden streams attached to files. These streams are not visible in standard file listings, making them a popular technique for concealing malicious activity. Event ID 15 captures both the hash of the primary file content (unnamed stream) and the content of any additional named streams, which can include executables, scripts, or configuration data. Malware often exploits ADS to hide payloads, leveraging browser downloads to attach a Zone.Identifier stream, marking the file as originating from the Internet (Mark Of The Web, MOTW). This analytic is designed to identify such misuse by analyzing the content and creation patterns of named streams, including those under 1KB which may contain MOTW information. It is essential for detecting sophisticated threats that utilize non-executable file types or conceal malicious scripts within ADS, beyond the traditional focus on PE executables. The detection process involves monitoring for the creation of named streams, which are part of the NTFS structure and can be examined using tools like PowerShell for the presence of additional data streams or MOTW information. This approach helps in uncovering hidden payloads and tracking the origin of suspicious files downloaded via browsers or email clients, providing a comprehensive defense against ADS abuse. +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564", "T1564.004"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = The following analytic detects when an uninterrupted string of base64 characters is written to the contents of an NTFS file system alternate data stream. This behavior could indicate a threat actor staging malicious code within difficult to detect areas of the file system for later use or persistence. +action.escu.eli5 = This analytic leverages Sysmon Event ID 15, a critical file creation event, to detect the creation of Alternate Data Streams (ADS) on Windows systems. ADS is a feature of the NTFS file system that allows the storage of data in hidden streams attached to files. These streams are not visible in standard file listings, making them a popular technique for concealing malicious activity. Event ID 15 captures both the hash of the primary file content (unnamed stream) and the content of any additional named streams, which can include executables, scripts, or configuration data. Malware often exploits ADS to hide payloads, leveraging browser downloads to attach a Zone.Identifier stream, marking the file as originating from the Internet (Mark Of The Web, MOTW). This analytic is designed to identify such misuse by analyzing the content and creation patterns of named streams, including those under 1KB which may contain MOTW information. It is essential for detecting sophisticated threats that utilize non-executable file types or conceal malicious scripts within ADS, beyond the traditional focus on PE executables. The detection process involves monitoring for the creation of named streams, which are part of the NTFS structure and can be examined using tools like PowerShell for the presence of additional data streams or MOTW information. This approach helps in uncovering hidden payloads and tracking the origin of suspicious files downloaded via browsers or email clients, providing a comprehensive defense against ADS abuse. action.escu.how_to_implement = Target environment must ingest sysmon data, specifically Event ID 15. action.escu.known_false_positives = Unknown -action.escu.creation_date = 2023-10-30 -action.escu.modification_date = 2023-10-30 +action.escu.creation_date = 2024-02-15 +action.escu.modification_date = 2024-02-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Alternate DataStream - Base64 Content - Rule action.escu.search_type = detection @@ -44970,7 +45660,7 @@ action.escu.providing_technologies = null action.escu.analytic_story = ["Windows Defense Evasion Tactics"] action.risk = 1 action.risk.param._risk_message = Base64 content written to an NTFS alternate data stream by $user$, see command field for details. -action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 80}, {"threat_object_field": "file_name", "threat_object_type": "file name"}] +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "other", "risk_score": 80}, {"threat_object_field": "file_name", "threat_object_type": "file_name"}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -44978,11 +45668,11 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Alternate DataStream - Base64 Content - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "mitre_attack": ["T1564", "T1564.004"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics"], "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564", "T1564.004"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic detects when an uninterrupted string of base64 characters is written to the contents of an NTFS file system alternate data stream. This behavior could indicate a threat actor staging malicious code within difficult to detect areas of the file system for later use or persistence. +action.notable.param.rule_description = This analytic leverages Sysmon Event ID 15, a critical file creation event, to detect the creation of Alternate Data Streams (ADS) on Windows systems. ADS is a feature of the NTFS file system that allows the storage of data in hidden streams attached to files. These streams are not visible in standard file listings, making them a popular technique for concealing malicious activity. Event ID 15 captures both the hash of the primary file content (unnamed stream) and the content of any additional named streams, which can include executables, scripts, or configuration data. Malware often exploits ADS to hide payloads, leveraging browser downloads to attach a Zone.Identifier stream, marking the file as originating from the Internet (Mark Of The Web, MOTW). This analytic is designed to identify such misuse by analyzing the content and creation patterns of named streams, including those under 1KB which may contain MOTW information. It is essential for detecting sophisticated threats that utilize non-executable file types or conceal malicious scripts within ADS, beyond the traditional focus on PE executables. The detection process involves monitoring for the creation of named streams, which are part of the NTFS structure and can be examined using tools like PowerShell for the presence of additional data streams or MOTW information. This approach helps in uncovering hidden payloads and tracking the origin of suspicious files downloaded via browsers or email clients, providing a comprehensive defense against ADS abuse. action.notable.param.rule_title = Windows Alternate DataStream - Base64 Content action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -44995,19 +45685,19 @@ relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false -search = `sysmon` EventCode=15 NOT Contents IN ("-","[ZoneTransfer]*") | regex TargetFilename="(? 50 caches only 50 login attempts. By default all versions of Windows 10 save cached logins except Windows Server 2008. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.005", "T1003"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.005", "T1003"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a process command line related to the discovery of cache domain credential logon count in the registry. This Technique was being abused by several post exploitation tool like Winpeas where it query CachedLogonsCount registry value in Winlogon registry. This value can be good information about the login caching setting on the Windows OS target host. A value of 0 means login caching is disable and values > 50 caches only 50 login attempts. By default all versions of Windows 10 save cached logins except Windows Server 2008. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -45655,7 +46345,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Cached Domain Credentials Reg Query - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1003.005", "T1003"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.005", "T1003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -45672,7 +46362,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic is developed to detect suspicious process commandline to change or set the default file association of a file without file extension with notepad.exe. This technique was seen in some APT and ransomware Prestige where it set/modify the default process to run file association, like .txt to notepad.exe. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.001", "T1546"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.001", "T1546"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic is developed to detect suspicious process commandline to change or set the default file association of a file without file extension with notepad.exe. This technique was seen in some APT and ransomware Prestige where it set/modify the default process to run file association, like .txt to notepad.exe. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -45695,7 +46385,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Change Default File Association For No File Ext - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1546.001", "T1546"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.001", "T1546"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -45718,7 +46408,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a powershell script command to retrieve clipboard data. This technique was seen in several post exploitation tools like WINPEAS to steal sensitive information that was saved in clipboard. Using the Get-Clipboard powershell commandlet, adversaries can be able collect data stored in clipboard that might be a copied user name, password or other sensitive information. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1115"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1115"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a powershell script command to retrieve clipboard data. This technique was seen in several post exploitation tools like WINPEAS to steal sensitive information that was saved in clipboard. Using the Get-Clipboard powershell commandlet, adversaries can be able collect data stored in clipboard that might be a copied user name, password or other sensitive information. action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -45741,7 +46431,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1115"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1115"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -45758,7 +46448,7 @@ search = `powershell` EventCode=4104 ScriptBlockText = "*Get-Clipboard*" | stats action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of reg.exe performing an add to the InProcServer32, which may be related to COM hijacking. Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1546.015", "T1546"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.015", "T1546"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of reg.exe performing an add to the InProcServer32, which may be related to COM hijacking. Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -45781,7 +46471,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows COM Hijacking InprocServer32 Modification - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1546.015", "T1546"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1546.015", "T1546"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -45804,7 +46494,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies path traversal command-line execution and should be used to tune and driver other more higher fidelity analytics. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This Hunting query is a good pivot to look for possible suspicious process and command-line that runs execute path traversal technique to run malicious code. This may help you to find possible downloaded malware or other lolbin execution. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies path traversal command-line execution and should be used to tune and driver other more higher fidelity analytics. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This Hunting query is a good pivot to look for possible suspicious process and command-line that runs execute path traversal technique to run malicious code. This may help you to find possible downloaded malware or other lolbin execution. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -45822,7 +46512,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "mitre_attack": ["T1059"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -45839,7 +46529,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies path traversal command-line execution. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This TTP is a good pivot to look for more suspicious process and command-line that runs before and after this execution. This may help you to find possible downloaded malware or other lolbin execution. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies path traversal command-line execution. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This TTP is a good pivot to look for more suspicious process and command-line that runs before and after this execution. This may help you to find possible downloaded malware or other lolbin execution. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -45862,7 +46552,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "mitre_attack": ["T1059"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Defense Evasion Tactics", "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -45885,7 +46575,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies DCRat "forkbomb" payload feature. This technique was seen in dark crystal RAT backdoor capabilities where it will execute several cmd child process executing "notepad.exe & pause". The following analytic detects the multiple cmd.exe and child process notepad.exe execution using batch script in the targeted host within 30s timeframe. this TTP can be a good pivot to check DCRat infection. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies DCRat "forkbomb" payload feature. This technique was seen in dark crystal RAT backdoor capabilities where it will execute several cmd child process executing "notepad.exe & pause". The following analytic detects the multiple cmd.exe and child process notepad.exe execution using batch script in the targeted host within 30s timeframe. this TTP can be a good pivot to check DCRat infection. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -45908,7 +46598,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Command Shell DCRat ForkBomb Payload - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkCrystal RAT"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["DarkCrystal RAT"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1059.003", "T1059"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -45931,7 +46621,7 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a suspicious process command line fetching the environment variables with a non-shell parent process. This technique was seen in qakbot malware where it fetches the environment variable in the target or compromised host. This TTP detection is a good pivot of possible malicious behavior since the command line is executed by a common non-shell process like cmd.exe , powershell.exe and many more. This can also be a good sign that the parent process has a malicious code injected to it to execute this command. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a suspicious process command line fetching the environment variables with a non-shell parent process. This technique was seen in qakbot malware where it fetches the environment variable in the target or compromised host. This TTP detection is a good pivot of possible malicious behavior since the command line is executed by a common non-shell process like cmd.exe , powershell.exe and many more. This can also be a good sign that the parent process has a malicious code injected to it to execute this command. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -45954,7 +46644,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Command Shell Fetch Env Variables - Rule -action.correlationsearch.annotations = {"analytic_story": ["Qakbot"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Qakbot"], "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -45977,7 +46667,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following correlation identifies instances where four or more distinct detection analytics are associated with malicious command line behavior that is known to be exploited by multiple threat actors, adversaries, or red teamers on a specific host. By leveraging the Command Line Interface (CLI), attackers can execute malicious commands, gain access to sensitive data, install backdoors, and engage in various nefarious activities. The impact of such compromise can be severe, as attackers may gain unauthorized control over the compromised system, enabling them to exfiltrate valuable information, escalate privileges, or launch further attacks within the network. If this detection is triggered, there is a high level of confidence in the occurrence of suspicious command line activities on the host. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1222", "T1049", "T1033", "T1529", "T1016", "T1059"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Actions on Objectives", "Installation"], "mitre_attack": ["T1222", "T1049", "T1033", "T1529", "T1016", "T1059"], "nist": ["DE.AE"]} action.escu.data_models = ["Risk"] action.escu.eli5 = The following correlation identifies instances where four or more distinct detection analytics are associated with malicious command line behavior that is known to be exploited by multiple threat actors, adversaries, or red teamers on a specific host. By leveraging the Command Line Interface (CLI), attackers can execute malicious commands, gain access to sensitive data, install backdoors, and engage in various nefarious activities. The impact of such compromise can be severe, as attackers may gain unauthorized control over the compromised system, enabling them to exfiltrate valuable information, escalate privileges, or launch further attacks within the network. If this detection is triggered, there is a high level of confidence in the occurrence of suspicious command line activities on the host. action.escu.how_to_implement = Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. @@ -45995,7 +46685,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RIR - Windows Common Abused Cmd Shell Risk Behavior - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Volt Typhoon", "Sandworm Tools", "Windows Post-Exploitation", "FIN7", "Qakbot", "Netsh Abuse", "DarkCrystal RAT", "Windows Defense Evasion Tactics", "CISA AA23-347A", "Disabling Security Tools"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1222", "T1049", "T1033", "T1529", "T1016", "T1059"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Volt Typhoon", "Sandworm Tools", "Windows Post-Exploitation", "FIN7", "Qakbot", "Netsh Abuse", "DarkCrystal RAT", "Windows Defense Evasion Tactics", "CISA AA23-347A", "Disabling Security Tools"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Actions on Objectives", "Installation"], "mitre_attack": ["T1222", "T1049", "T1033", "T1529", "T1016", "T1059"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -46018,7 +46708,7 @@ search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_ action.escu = 0 action.escu.enabled = 1 description = The following analytic identifes a Computer Account creating a new Computer Account with specific a Service Principle Name - "RestrictedKrbHost". The RestrictedKrbHost service class allows client applications to use Kerberos authentication when they do not have the identity of the service but have the server name. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifes a Computer Account creating a new Computer Account with specific a Service Principle Name - "RestrictedKrbHost". The RestrictedKrbHost service class allows client applications to use Kerberos authentication when they do not have the identity of the service but have the server name. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required. @@ -46041,7 +46731,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Computer Account Created by Computer Account - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "mitre_attack": ["T1558"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -46064,7 +46754,7 @@ search = `wineventlog_security` EventCode=4741 user_type=computer Subject_Accoun action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a ComputerAccount requesting a Kerberos Ticket. typically, a user account requests a Kerberos ticket. This behavior was identified with KrbUpRelay, but additional Kerberos attacks have exhibited similar behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a ComputerAccount requesting a Kerberos Ticket. typically, a user account requests a Kerberos ticket. This behavior was identified with KrbUpRelay, but additional Kerberos attacks have exhibited similar behavior. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4768 EventCode enabled. The Windows TA is also required. @@ -46087,7 +46777,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "mitre_attack": ["T1558"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -46110,7 +46800,7 @@ search = `wineventlog_security` EventCode=4768 Account_Name="*$" src_ip!="::1" action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies two SPNs, HOST and RestrictedKrbHost, added using the KrbRelayUp behavior. This particular behavior has been found in other Kerberos based attacks. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} action.escu.data_models = ["Change"] action.escu.eli5 = The following analytic identifies two SPNs, HOST and RestrictedKrbHost, added using the KrbRelayUp behavior. This particular behavior has been found in other Kerberos based attacks. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required. @@ -46133,7 +46823,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Computer Account With SPN - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1558"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1558"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -46156,7 +46846,7 @@ search = `wineventlog_security` EventCode=4741 MSADChangedAttributes IN ("*HOST/ action.escu = 0 action.escu.enabled = 1 description = The following analytic detects the unusual use of the Windows Console Host process (conhost.exe) with the undocumented --headless parameter to spawn a new process. This behavior is highly unusual and indicative of suspicious activity, as the --headless parameter is not commonly used in legitimate operations. The analytic identifies this behavior by looking for instances where conhost.exe is invoked with the --headless argument. This behavior is worth identifying for a Security Operations Center (SOC) as it could indicate an attacker's attempt to execute commands or scripts in a stealthy manner, potentially to establish persistence, perform lateral movement, or carry out other malicious activities. If a true positive is identified, it suggests that an attacker has gained a foothold in the environment and is attempting to further their attack, which could lead to serious consequences such as data exfiltration, system compromise, or deployment of ransomware. Potential false positives could arise from legitimate administrative activity, hence it is important to validate the context of the detected behavior during triage. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1564.003", "T1564.006"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003", "T1564.006"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic detects the unusual use of the Windows Console Host process (conhost.exe) with the undocumented --headless parameter to spawn a new process. This behavior is highly unusual and indicative of suspicious activity, as the --headless parameter is not commonly used in legitimate operations. The analytic identifies this behavior by looking for instances where conhost.exe is invoked with the --headless argument. This behavior is worth identifying for a Security Operations Center (SOC) as it could indicate an attacker's attempt to execute commands or scripts in a stealthy manner, potentially to establish persistence, perform lateral movement, or carry out other malicious activities. If a true positive is identified, it suggests that an attacker has gained a foothold in the environment and is attempting to further their attack, which could lead to serious consequences such as data exfiltration, system compromise, or deployment of ransomware. Potential false positives could arise from legitimate administrative activity, hence it is important to validate the context of the detected behavior during triage. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -46179,7 +46869,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows ConHost with Headless Argument - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 70, "impact": 100, "mitre_attack": ["T1564.003", "T1564.006"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spearphishing Attachments"], "cis20": ["CIS 10"], "confidence": 70, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1564.003", "T1564.006"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -46202,7 +46892,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a new local user account added to a computer. Note that, this should be restricted to critical assets. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"]} action.escu.data_models = ["Change"] action.escu.eli5 = The following analytic identifies a new local user account added to a computer. Note that, this should be restricted to critical assets. action.escu.how_to_implement = This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/ @@ -46225,7 +46915,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Create Local Account - Rule -action.correlationsearch.annotations = {"analytic_story": ["Account Monitoring and Controls"], "cis20": ["CIS 10"], "confidence": 90, "impact": 20, "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Account Monitoring and Controls"], "cis20": ["CIS 10"], "confidence": 90, "impact": 20, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.001", "T1136"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -46242,7 +46932,7 @@ search = | tstats `security_content_summariesonly` values(All_Changes.result_id) action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the use of CreateDump.exe being used to perform a process dump. This particular binary is not native to Windows, but is found to be brought in my many different third party applications including PowerShell 7. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of CreateDump.exe being used to perform a process dump. This particular binary is not native to Windows, but is found to be brought in my many different third party applications including PowerShell 7. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -46265,7 +46955,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Credential Dumping LSASS Memory Createdump - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 70, "impact": 100, "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 70, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -46288,7 +46978,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This analytic focuses on identifying non-chrome processes that attempt to access the Chrome extensions file. This file contains crucial settings and information related to the browser's extensions installed on the computer. Adversaries and malware authors have been known to exploit this file to extract sensitive information from the Chrome browser on targeted hosts. Detecting such anomalous behavior provides valuable insights for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for access to the Chrome extensions file by non-chrome processes, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic focuses on identifying non-chrome processes that attempt to access the Chrome extensions file. This file contains crucial settings and information related to the browser's extensions installed on the computer. Adversaries and malware authors have been known to exploit this file to extract sensitive information from the Chrome browser on targeted hosts. Detecting such anomalous behavior provides valuable insights for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for access to the Chrome extensions file by non-chrome processes, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser. action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." @@ -46300,7 +46990,7 @@ action.escu.full_search_name = ESCU - Windows Credentials from Password Stores C action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["DarkGate Malware", "CISA AA23-347A", "Amadey", "RedLine Stealer"] +action.escu.analytic_story = ["DarkGate Malware", "CISA AA23-347A", "Amadey", "RedLine Stealer", "Phemedrone Stealer"] action.risk = 1 action.risk.param._risk_message = A non-chrome process $process_name$ accessing chrome browser extension folder files on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] @@ -46311,7 +47001,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware", "CISA AA23-347A", "Amadey", "RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1012"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware", "CISA AA23-347A", "Amadey", "RedLine Stealer", "Phemedrone Stealer"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -46328,7 +47018,7 @@ search = `wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Loc action.escu = 0 action.escu.enabled = 1 description = This analytic is designed to detect non-chrome processes accessing the Chrome user data file called "local state." This file contains important settings and information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract the encrypted master key used for decrypting passwords saved in the Chrome browser. Detecting access to the "local state" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can improve our ability to identify potential threats and safeguard sensitive information stored within the browser. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic is designed to detect non-chrome processes accessing the Chrome user data file called "local state." This file contains important settings and information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract the encrypted master key used for decrypting passwords saved in the Chrome browser. Detecting access to the "local state" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can improve our ability to identify potential threats and safeguard sensitive information stored within the browser. action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." @@ -46340,7 +47030,7 @@ action.escu.full_search_name = ESCU - Windows Credentials from Password Stores C action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["RedLine Stealer", "Amadey", "Warzone RAT", "NjRAT", "DarkGate Malware"] +action.escu.analytic_story = ["RedLine Stealer", "Amadey", "Warzone RAT", "NjRAT", "DarkGate Malware", "Phemedrone Stealer"] action.risk = 1 action.risk.param._risk_message = A non-chrome process $process_name$ accessing "Chrome\\User Data\\Local State" file on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] @@ -46351,7 +47041,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule -action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer", "Amadey", "Warzone RAT", "NjRAT", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1012"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer", "Amadey", "Warzone RAT", "NjRAT", "DarkGate Malware", "Phemedrone Stealer"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -46368,7 +47058,7 @@ search = `wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Loc action.escu = 0 action.escu.enabled = 1 description = This analytic is designed to identify non-chrome processes accessing the Chrome user data file called "login data." This SQLite database file contains important information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract and decrypt passwords saved in the Chrome browser. Detecting access to the "login data" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This analytic is designed to identify non-chrome processes accessing the Chrome user data file called "login data." This SQLite database file contains important information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract and decrypt passwords saved in the Chrome browser. Detecting access to the "login data" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser. action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." @@ -46380,7 +47070,7 @@ action.escu.full_search_name = ESCU - Windows Credentials from Password Stores C action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["RedLine Stealer", "Amadey", "Warzone RAT", "NjRAT", "DarkGate Malware"] +action.escu.analytic_story = ["RedLine Stealer", "Amadey", "Warzone RAT", "NjRAT", "DarkGate Malware", "Phemedrone Stealer"] action.risk = 1 action.risk.param._risk_message = A non-chrome process $process_name$ accessing Chrome "Login Data" file on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] @@ -46391,7 +47081,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule -action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer", "Amadey", "Warzone RAT", "NjRAT", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "mitre_attack": ["T1012"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer", "Amadey", "Warzone RAT", "NjRAT", "DarkGate Malware", "Phemedrone Stealer"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -46408,7 +47098,7 @@ search = `wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Loc action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool and malware such as Darkgate malware to create stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1555"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool and malware such as Darkgate malware to create stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -46431,7 +47121,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Credentials from Password Stores Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1555"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -46454,7 +47144,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool and malware such as Darkgate malware to delete stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1555"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool and malware such as Darkgate malware to delete stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -46477,7 +47167,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Credentials from Password Stores Deletion - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1555"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -46500,7 +47190,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to list stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1555"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to list stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -46523,7 +47213,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Credentials from Password Stores Query - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1555"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware", "DarkGate Malware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1555"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -46540,7 +47230,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a process command line related to the discovery of possible password or credentials in the registry. This technique is being abused by adversaries or post exploitation tools like winpeas to steal credentials in the registry in the targeted host. Registry can contain several sensitive information like username and credentials that can be used for privilege escalation, persistence or even in lateral movement. This Anomaly detection can be a good pivot to detect a suspicious process querying a registry related to password or private keys. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a process command line related to the discovery of possible password or credentials in the registry. This technique is being abused by adversaries or post exploitation tools like winpeas to steal credentials in the registry in the targeted host. Registry can contain several sensitive information like username and credentials that can be used for privilege escalation, persistence or even in lateral movement. This Anomaly detection can be a good pivot to detect a suspicious process querying a registry related to password or private keys. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -46563,7 +47253,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Credentials in Registry Reg Query - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1552.002", "T1552"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -46582,7 +47272,7 @@ action.escu.enabled = 1 description = The following analytic identifies the use of Windows Curl.exe downloading a file to a suspicious location. \ -O or --output is used when a file is to be downloaded and placed in a specified location. \ During triage, review parallel processes for further behavior. In addition, identify if the download was successful. If a file was downloaded, capture and analyze. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of Windows Curl.exe downloading a file to a suspicious location. \ -O or --output is used when a file is to be downloaded and placed in a specified location. \ @@ -46607,7 +47297,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Curl Download to Suspicious Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Ingress Tool Transfer", "Forest Blizzard"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["IcedID", "Ingress Tool Transfer", "Forest Blizzard"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -46636,7 +47326,7 @@ description = The following analytic identifies the use of Windows Curl.exe uplo `-d` or `--data` POST is the HTTP method that was invented to send data to a receiving web application, and it is, for example, how most common HTML forms on the web work. \ HTTP multipart formposts are done with `-F`, but this appears to not be compatible with the Windows version of Curl. Will update if identified adversary tradecraft. \ Adversaries may use one of the three methods based on the remote destination and what they are attempting to upload (zip vs txt). During triage, review parallel processes for further behavior. In addition, identify if the upload was successful in network logs. If a file was uploaded, isolate the endpoint and review. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of Windows Curl.exe uploading a file to a remote destination. \ `-T` or `--upload-file` is used when a file is to be uploaded to a remotge destination. \ @@ -46663,7 +47353,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Curl Upload to Remote Destination - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "mitre_attack": ["T1105"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ingress Tool Transfer"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Command and Control"], "mitre_attack": ["T1105"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -46690,7 +47380,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a suspicious process recursively deleting files in a compromised host. This behavior was seen in several destructive malware, wiper like caddy wiper, doublezero, and now swiftslicer that delete or overwrite files with random generated strings to make it unrecoverable. This analytic can also catch a possible recursive file write on multiple files using Sysmon Event 23. Sysmon treats the modified file as a deleted one as soon as it was overwritten. This analytic can be a good indicator that a possible destructive malware is running in a host machine or a big software application is being uninstalled. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a suspicious process recursively deleting files in a compromised host. This behavior was seen in several destructive malware, wiper like caddy wiper, doublezero, and now swiftslicer that delete or overwrite files with random generated strings to make it unrecoverable. This analytic can also catch a possible recursive file write on multiple files using Sysmon Event 23. Sysmon treats the modified file as a deleted one as soon as it was overwritten. This analytic can be a good indicator that a possible destructive malware is running in a host machine or a big software application is being uninstalled. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the deleted target file name, process name and process id from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -46713,7 +47403,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule -action.correlationsearch.annotations = {"analytic_story": ["Swift Slicer", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "mitre_attack": ["T1485"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Swift Slicer", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -46736,7 +47426,7 @@ search = `sysmon` EventCode=23 TargetFilename IN ("*.exe", "*.sys", "*.dll") | action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a modification to the Transcodedwallpaper file in the wallpaper theme directory to change the wallpaper of the host machine. This technique was seen in adversaries attempting to deface or change the desktop wallpaper of the targeted host. During our testing, the common process that affects or changes the wallpaper if a user changes it via desktop personalized setting is explorer.exe. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1491"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1491"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a modification to the Transcodedwallpaper file in the wallpaper theme directory to change the wallpaper of the host machine. This technique was seen in adversaries attempting to deface or change the desktop wallpaper of the targeted host. During our testing, the common process that affects or changes the wallpaper if a user changes it via desktop personalized setting is explorer.exe. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. @@ -46759,7 +47449,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Defacement Modify Transcodedwallpaper File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "mitre_attack": ["T1491"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Brute Ratel C4"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1491"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -46776,7 +47466,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages Event ID 5136 to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic leverages Event ID 5136 to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs. action.escu.how_to_implement = To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled. Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default. A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/. @@ -46791,7 +47481,7 @@ action.escu.providing_technologies = ["Microsoft Windows"] action.escu.analytic_story = ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = A default group policy object was modified on $Computer$ by $SubjectUserSid$ -action.risk.param._risk = [{"risk_object_field": "SubjectUserSid", "risk_object_type": "user", "risk_score": 50}, {"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 50}] +action.risk.param._risk = [{"risk_object_field": "SubjectUserSid", "risk_object_type": "other", "risk_score": 50}, {"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 50}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 cron_schedule = 0 * * * * @@ -46799,7 +47489,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Default Group Policy Object Modified - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -46822,7 +47512,7 @@ search = `wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer action.escu = 0 action.escu.enabled = 1 description = The following analytic leverages the Endpoint datamodel to identify the potential edition of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the edition of the default GPOs. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic leverages the Endpoint datamodel to identify the potential edition of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the edition of the default GPOs. action.escu.how_to_implement = The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. @@ -46845,7 +47535,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Default Group Policy Object Modified with GPME - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1484", "T1484.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -46868,7 +47558,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This detection searches for Windows Defender ASR audit events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR audit events that are generated when a process or application attempts to perform an action that would be blocked by an ASR rule, but is allowed to proceed for auditing purposes. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1566.001", "T1566.002"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1059", "T1566.001", "T1566.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection searches for Windows Defender ASR audit events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR audit events that are generated when a process or application attempts to perform an action that would be blocked by an ASR rule, but is allowed to proceed for auditing purposes. action.escu.how_to_implement = The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event. @@ -46891,7 +47581,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Defender ASR Audit Events - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Attack Surface Reduction"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "mitre_attack": ["T1059", "T1566.001", "T1566.002"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Attack Surface Reduction"], "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1059", "T1566.001", "T1566.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -46908,7 +47598,7 @@ search = `ms_defender` EventCode IN (1122, 1125, 1126, 1132, 1134) | lookup asr_ action.escu = 0 action.escu.enabled = 1 description = This detection searches for Windows Defender ASR block events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR block events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1059", "T1566.001", "T1566.002"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1059", "T1566.001", "T1566.002"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection searches for Windows Defender ASR block events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR block events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned. action.escu.how_to_implement = The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. Note that Audit and block Event IDs have different fields, therefore the analytic will need to be modified for each type of event. @@ -46931,7 +47621,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Defender ASR Block Events - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Attack Surface Reduction"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "mitre_attack": ["T1059", "T1566.001", "T1566.002"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Attack Surface Reduction"], "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1059", "T1566.001", "T1566.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -46948,7 +47638,7 @@ search = `ms_defender` EventCode IN (1121, 1126, 1129, 1131, 1133) | lookup asr_ action.escu = 0 action.escu.enabled = 1 description = This detection searches for Windows Defender ASR registry modification events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR registry modification events that are generated when a process or application attempts to modify a registry key that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned. -action.escu.mappings = {"cis20": ["CIS 10"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = This detection searches for Windows Defender ASR registry modification events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR registry modification events that are generated when a process or application attempts to modify a registry key that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned. action.escu.how_to_implement = The following analytic requires collection of Windows Defender Operational logs in either XML or multi-line. To collect, setup a new input for the Windows Defender Operational logs. In addition, it does require a lookup that maps the ID to ASR Rule name. @@ -46966,7 +47656,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Defender ASR Registry Modification - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Attack Surface Reduction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "mitre_attack": ["T1112"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Attack Surface Reduction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1112"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -46983,7 +47673,7 @@ search = `ms_defender` EventCode IN (5007) | rex field=New_Value "0x(?