DLUX_4 - Updating detections and adding a new one

[dluxtron]

DL PR

Updates to existing ESCU Detections

detect_large_outbound_icmp_packets.yml

• Added Risk Message
• Updated Risk Object from dest to dest_ip
• Added another risk object for src_ip
• Added the renamed field to the values commands
• Added filtering for dest_ips to the where clause of the tstats command
• Added iplocation

detect_outbound_smb_traffic.yml

• All_Traffic.direction is not populated by all firewall logs, added internal to external logic to the where clause of the tstats instaed
• Added dest_port and dest_ip to the by clause of the tstats for better filtering & RBA experience
• Added iplocation

remote_desktop_network_bruteforce.yml

• Updated search logic to use port 3389 as well (customer didn't have the RDP app resolving)
• Added filtering for allowed traffic only - inbound blocked traffic was triggering this rule
• Added src as a risk object

remote_desktop_network_traffic.yml

• Added risk message

smb_traffic_spike.yml

• Added risk message
• Added src as risk object

high_volume_of_bytes_out_to_url.yml

• Moved from Network folder to web folder

java_class_file_download_by_java_user_agent.yml

• Moved from Network folder to web folder
• Added missing summaries_only macro

multiple_archive_files_http_post_traffic.yml

• Moved from Network folder to web folder

plain_http_post_exfiltrated_data.yml

• Moved from Network folder to web folder

unusually_long_content_type_length.yml

• Moved from Network folder to web folder
• Rewrote detection to use Web Datamodel
• Added risk message
• Added risk object for src

aws_multiple_users_failing_to_authenticate_from_ip.yml

• Added missing where clause

kerberoasting_spn_request_with_rc4_encryption.yml

• Added user field to the SPL
• Moved the risk object from the DC (dest) to the user
• Added details on how to implement to use this as a risk rule in noisy environments

unusual_number_of_kerberos_service_tickets_requested.yml

• Added user field to the SPL
• Added user to risk object
• Increased threshold to min 6 service accounts

windows_driver_load_non_standard_path.yml

• Moved filtering to regex statement to anchor to known folder locations
• Easy to bypass this detection using common foldernames

detect_password_spray_attempts.yml

• Fixed logic (this hurt my brain), should be good now.

detect_distributed_password_spray_attempts.yml

• Same as above

windows_ad_serviceprincipalname_added_to_domain_account.yml

• updated base search to only focus on user accounts, this was triggering loads of false positives in customer environment
• Adding a SPN to a computer account or GMSA would be near pointless anyway due to the long complex passwords which will be near impossible to crack with today's technology

wineventlog_task_scheduler macro

• was set to wineventlog:security, updated to correct task scheduler source

Added new detection

internal_horizontal_port_scan_nmap_top_20.yml
Same as the other internal horizontal port scan, but focused on the nmap top 20.